Using Postgres on Heroku is it possible to set permissions on the system catalog tables?
Specifically, I am trying to revoke select permissions on pg_proc.
REVOKE SELECT ON TABLE pg_proc FROM public;
my-development::DATABASE=> REVOKE SELECT ON TABLE pg_proc FROM public;
WARNING: no privileges could be revoked for "pg_proc"
WARNING: no privileges could be revoked for column "tableoid" of relation "pg_proc"
WARNING: no privileges could be revoked for column "cmax" of relation "pg_proc"
WARNING: no privileges could be revoked for column "xmax" of relation "pg_proc"
WARNING: no privileges could be revoked for column "cmin" of relation "pg_proc"
WARNING: no privileges could be revoked for column "xmin" of relation "pg_proc"
WARNING: no privileges could be revoked for column "ctid" of relation "pg_proc"
WARNING: no privileges could be revoked for column "oid" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proname" of relation "pg_proc"
WARNING: no privileges could be revoked for column "pronamespace" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proowner" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prolang" of relation "pg_proc"
WARNING: no privileges could be revoked for column "procost" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prorows" of relation "pg_proc"
WARNING: no privileges could be revoked for column "provariadic" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prosupport" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prokind" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prosecdef" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proleakproof" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proisstrict" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proretset" of relation "pg_proc"
WARNING: no privileges could be revoked for column "provolatile" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proparallel" of relation "pg_proc"
WARNING: no privileges could be revoked for column "pronargs" of relation "pg_proc"
WARNING: no privileges could be revoked for column "pronargdefaults" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prorettype" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proargtypes" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proallargtypes" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proargmodes" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proargnames" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proargdefaults" of relation "pg_proc"
WARNING: no privileges could be revoked for column "protrftypes" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prosrc" of relation "pg_proc"
WARNING: no privileges could be revoked for column "probin" of relation "pg_proc"
WARNING: no privileges could be revoked for column "prosqlbody" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proconfig" of relation "pg_proc"
WARNING: no privileges could be revoked for column "proacl" of relation "pg_proc"
REVOKE
Revoking access to specific columns not working in postgresql on table pg_proc
Related
I created a user on my DB following these steps:
CREATE USER user WITH PASSWORD 'password';
GRANT CONNECT ON DATABASE my-database TO user;
GRANT USAGE ON SCHEMA public to user;
GRANT SELECT ON ALL TABLES IN SCHEMA public to user;
Now I'm trying to delete it but I keep receiving errors:
I'm doing the following:
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM user;
For this I receive: ERROR: permission denied for relation accounts
REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM user;
For this I receive: ERROR: permission denied for sequence accounts_user_id_seq
REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public FROM user;
For this I receive:
WARNING: no privileges could be revoked for "uuid_nil"
WARNING: no privileges could be revoked for "uuid_ns_dns"
WARNING: no privileges could be revoked for "uuid_ns_url"
WARNING: no privileges could be revoked for "uuid_ns_oid"
WARNING: no privileges could be revoked for "uuid_ns_x500"
WARNING: no privileges could be revoked for "uuid_generate_v1"
WARNING: no privileges could be revoked for "uuid_generate_v1mc"
WARNING: no privileges could be revoked for "uuid_generate_v3"
WARNING: no privileges could be revoked for "uuid_generate_v4"
WARNING: no privileges could be revoked for "uuid_generate_v5"
And if I try DROP USER user;
ERROR: role "user" cannot be dropped because some objects depend on it
DETAIL: owner of table accounts
owner of sequence accounts_user_id_seq
privileges for table migrations
privileges for table attributes
privileges for table system_flags
privileges for table entity_flags
privileges for table audits
privileges for table users
I am totally blocked. I'll appreciate the help.
After running
db=> GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
WARNING: no privileges were granted for "pg_stat_statements"
GRANT
I tried to
drop trigger t_table on tablex;
I got this result
[42501] ERROR: must be owner of relation tablex
This is everything I ran to change my privileges:
GRANT CONNECT ON DATABASE dbx to userx;
GRANT USAGE ON SCHEMA public to userx;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO userx;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES TO userx;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON FUNCTIONS TO userx;
What could I be possibly be missing? could WARNING: no privileges were granted for "pg_stat_statements" mean something or is it stopping at that table and not adding the privileges?
Like the error message says, only the table owner (and a superuser) can do that.
The TRIGGER privilege allows you to create a trigger on the table, but not to drop one.
Ownership is not a privilege you can grant; you have to use ALTER TABLE ... OWNER TO ... for that.
We granted third-party software access to our postgresql database. After billing dispute we have now cut ties with this company but cannot delete the user. We need to delete this user soon but can't figure out how to do it. Here's some of what we're seeing when we try to do it:
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> REVOKE ALL ON ALL TABLES IN SCHEMA PUBLIC FROM evil_user;
REVOKE
prod=> drop role evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> REVOKE ALL ON SCHEMA public FROM evil_user;
REVOKE
prod=> REVOKE ALL ON DATABASE prod FROM evil_user;
REVOKE
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
^
prod=> ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM evil_user;
ALTER DEFAULT PRIVILEGES
prod=> drop user evil_user;
ERROR: role "evil_user" cannot be dropped because some objects depend on it
DETAIL: owner of default privileges on new relations belonging to role evil_user
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
We need to get these people out of our database. For a number of reason we cannot easily move to a new Postgres instance.
There are unintuitive permission requirements when using REASSIGN without a supserusesr account, such as on RDS and Cloud SQL, but it is possible as long as your current_user has permission to GRANT evil_user TO prod. See this other post where I answered the same question: https://stackoverflow.com/a/62557497/79079
prod=> reassign owned by evil_user to root;
ERROR: permission denied to reassign objects
You must perform this action as a postgres superuser account, usually the user postgres.
Looking at some tables in pgAdmin, I can see table definitions with the following statements
ALTER TABLE table_name
OWNER TO user_name;
GRANT ALL ON TABLE table_name TO user_name;
Other tables in the same database omit the second GRANT ALL statement, and I suspect it is redundant, given that user_name is already the OWNER of table_name.
So, is the GRANT ALL redundant in this case, and if so am I able to remove its definition (from the table_name > Properties > Privileges tab)?
Thanks
Probably not but see below.
Owners by default have full rights on the table, and note they can also grant rights on their own tables. This is independent of any rights given to public. See:
chris=> create table footest(id int);
CREATE TABLE
chris=> revoke all on footest from public;
REVOKE
chris=> insert into footest values (1);
INSERT 0 1
chris=> revoke all on footest from chris;
REVOKE
chris=> insert into footest values (1);
ERROR: permission denied for relation footest
chris=> grant all on footest to chris;
GRANT
chris=>
So unless you already revoked the permissions you do not need to grant them.
I entered postgres console with sudo and did this:
create user uu with password 'uu';
create database u_db owner uu;
grant all privileges on u_db to uu;
Error: Relation u_db doesnt exist.
You have to use the keyword DATABASE for granting here. So I'm posting you the output from psql in:
postgres=# create user uu with password 'uu';
CREATE ROLE
postgres=# create database u_db owner uu;
CREATE DATABASE
postgres=# grant all privileges on u_db to uu;
FEHLER: Relation »u_db« existiert nicht
postgres=# grant all privileges on database u_db to uu;
GRANT
However. IMHO through the owner setting of database you don't need to grant extra rights for the user uu.