I'm just learning PostgreSQL. Every time I create users, they seem to have the full privileges to do anything in any database:
$ sudo useradd fool # create the user "fool" in the system
# And in postgresql, as restrictively as possible
$ sudo -u postgres createuser fool --no-superuser --no-createdb --no-createrole --no-inherit
$ sudo -u fool psql postgres # but it can still connect to the "postgres" db
postgres=> drop table ids; # and delete tables
DROP TABLE
I tried creating the user through the create user PostgreSQL command rather than the command-line tool but it had exactly the same effect.
How can I create a user that only has privileges to access its own database? Or do I have to specifically revoke all permissions after creating the user? 'Cos that kinda sucks from a security perspective - it's easy to accidentally forget (or just not know it's necessary) to revoke permissions for new users.
All roles are "members" of the pseudo-role PUBLIC. And by default PUBLIC has many privileges. My practice is to revoke all privileges from PUBLIC where I need and grant various combinations to specific roles. A recent addition helps with that - ALTER DEFAULT PRIVILEGES. Another, not so flexible but easier, method is the CONNECT privilege.
Related
I am new to technologies , please do not judge my question too strong :).
I installed in My Ubuntu 18.04 PostgreSQL 10.7. To be able to enter my DB I need to enter the following commands from my terminal. sudo -u postgres psql.
Is there any shortened way where I can connect it from my Ubuntu User account. For example. if I input psql it will open database environment where I can type PostgreSQL commands.
Thank you.
Just execute this command in your terminal :
alias psql='sudo -u postgres psql'
So the next time, you input psql and execute, you will be in database environment.
I see two options:
1) Create alias for this command sudo -u postgres psql .
2) Go to psql and create new superuser and database for it:
CREATE ROLE username SUPERUSER;
ALTER ROLE username WITH LOGIN;
CREATE DATABASE username;
You shouldn't be using the superuser account for your normal database work. That is as if you were using root for everything in Linux.
You need to create a regular user with the privileges to create or modify tables in your database. This can be done by granting the user all privileges on the database (which is not the same as making that user a superuser) or make that user the owner of that database.
As documented in the manual psql tries to connect to a database with the name of the current Linux user and with a database user with the name of the current Linux user. So if you want to keep things simple create a user with your regular Linux user's name and an database that is owned by that user:
create user rob password 'somepassword';
create database rob owner = rob;
Assuming your Linux user is rob, then all you need to do is:
psql
and you are connected to a database where you can create and manage tables.
Depending on how you installed Postgres, you might need to adjust pg_hba.conf to allow rob to log in directly.
Again: please do NOT use the superuser account for your normal work.
I want to grant read/write privileges to new user only to one database, so he can't access other databases.
After I created new user with:
sudo -u postgres createuser <username> What privileges this user get?
Is this all I need:
GRANT ALL PRIVILEGES ON my_db TO new_user; to get access to only one database?
What is the best way to do this?
Using PostgreSQL 10
By default, PUBLIC (everyone) is allowed to connect to all databases. So you'd have to revoke that privilege and hand out CONNECT more judiciously.
In addition to that, you'd have to make sure that every user has CREATE on all schemas in “his” database and the necessary privileges on all tables, because privileges on the database itself are not enough to access the objects in the database.
It could be the simplest solution to use REASSIGN OWNED to give the user ownership of all objects in “his” database.
I am pretty much confused about root user,super user,user and permissions! I am not able to create a database inside user "athleticu". Following are the commands I used:-
athleticu#ip-172-30-4-103:/home/ubuntu$ createdb -T template0 simple_db1
createdb: database creation failed: ERROR: permission denied to create database
athleticu#ip-172-30-4-103:/home/ubuntu$ sudo createdb -T template0 simple_db1
sudo: unable to resolve host ip-172-30-4-103
createdb: could not connect to database template1: FATAL: role "root" does not exist
Please somebody clarify my doubts and tell me what should I write!
Hey I have already solved this. What you have to do is to first login as postgres user as follows:
$ su postgres
$ psql
postgres=# alter user athleticu createdb;
ALTER ROLE
Hope it helps you :)
Type \du in psql and you will see a list of all the registered users and what type of privileges each one has.
In order to grant privileges to the user which is logged in (eg 'user1'), I had to sign out and log in using one of the superuser roles in that list (eg. 'user2'), using the following command:
psql -U 'user2' -h localhost 'database2'
where 'database2' is the name of the one that specific superuser 'user2' has privileges to.
Once you are logged in as a superuser, you can grant privileges to 'user1' by:
ALTER ROLE user1 WITH CREATEDB
or
ALTER ROLE user1 WITH SUPERUSER
Then sign in again as user1, who is now a superuser.
This blog was helpful as well as this link.
Currently, this worked for me:
sudo su postgres
psql
ALTER USER username WITH CREATEDB;
\q
exit
The root user is an account on the system independent from Postgres. There is only one root user.
A superuser is an account in Postgres with access to everything. There may be many superusers.
System accounts and Postgres accounts are different things, although unless you specify a Postgres username when you connect to the database (through utilities like psql, createdb, dropdb, or otherwise), it will use the current system user's name in hopes that there is a corresponding Postgres account with the same name. The root user does not, by default, have a corresponding account in Postgres.
When you install Postgres on *nix, it creates both a superuser named postgres and a system user named postgres.
Therefore, when you need to do something with Postgres as the built-in superuser, you have two options:
You may sudo su - postgres to become the postgres system user and execute your command (createdb, psql, etc). Because the system user has the same name as the database superuser, your command will connect as the appropriate account.
You may specify the username to execute as with the -U switch, eg psql -U postgres ....
Depending on your Postgres server's authentication settings, you may be required to enter a password with either or both connection methods.
What you can do when you have fresh installation of PostgreSQL is create your user with some rights (see createuser documentation):
my-user> sudo su - postgres -c "createuser <my-user> --createdb"
This will allow my-user to create DBs just like so:
my-user> createdb <my-db>
If you want the my-user to be able to do anything just use the --superuser flag instead:
my-user> sudo su - postgres -c "createuser <my-user> --superuser"
I got the same error and I found out that the reason was that I was trying to create a database outside of psql as a user which did not exist for postgresql. I found out about it and solved it by taking the following steps:
In my terminal I logged in as postgres user (the root user by default for postgresql) by typing sudo -u postgres psql
While inside the psql I typed \du to see all users and their privileges. I found out that I had only one user (the postgres one) and I had to create another superuser which had the same username as my Linux user (george)
I typed (still inside psql) CREATE USER george SUPERUSER; and this way I created a new super user called george.
I exited psql (by typing \q) and I was now able from outside psql, meaning from my terminal, to run created db <database name> with no issues at all.
Error ? You are trying to perform database actions( Creating Database, creating Roles) using a user that doesn't have the permission for those types of actions you are trying to perform.
solution ? Simply login to your database on the command line, i.e for PostgreSQL one will use "sudo -u postgres psql", then confirm that users specific assigned roles using the command "\du", most probably he/she doesn't have the necessary permissions to perform the actions you wanted. Then simply assign the roles you want the user to perform ,i.e create Database or simply make user "Superuser" by following along(https://chartio.com/resources/tutorials/how-to-change-a-user-to-superuser-in-postgresql/)
When I attempt to enable hstore on my database:
=> CREATE EXTENSION IF NOT EXISTS hstore;
ERROR: permission denied to create extension "hstore"
HINT: Must be superuser to create this extension.
My user is not a superuser, but is the owner of the database.
According to the CREATE EXTENSION docs:
Loading an extension requires the same privileges that would be required to create its component objects. For most extensions this means superuser or database owner privileges are needed. The user who runs CREATE EXTENSION becomes the owner of the extension for purposes of later privilege checks, as well as the owner of any objects created by the extension's script.
What is hstore doing that requires superuser privileges? Is it affecting parts of the cluster outside the database I'm adding it to?
Further confundity:
The DB user Heroku Postgres provides is not a superuser:
Heroku Postgres users are granted all non-superuser permissions on their database. These include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.
However, that user is able to CREATE EXTENSION hstore:
To create any supported extension, open a session with heroku pg:psql and run the appropriate command:
$ heroku pg:psql
Pager usage is off.
psql (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
ad27m1eao6kqb1=> CREATE EXTENSION hstore;
CREATE EXTENSION
ad27m1eao6kqb1=>
(For context, I'm attempting to set up a Dokku deployment, so the comparison to Heroku is especially important.)
The hstore extension creates functions that call code from an external dynamic object, which requires superuser privilege. That's why creating the hstore extension requires superuser privilege.
As for Heroku, it is my understanding that they are running with a special extension whitelisting module, which allows users to create certain extensions even though they are not superusers. I believe it is based on this code: https://github.com/dimitri/pgextwlist. You can try to install that code yourself if you want the same functionality in your databases.
ALTER USER myuser WITH SUPERUSER;
If you run this command from a superuser, this solves your CREATE EXTENSION issue. You may check your available users with \du to find a superuser.
This is not related to heroku.
This is how I solved this issue in ubuntu 18.04.
Provide postgres super user access.
sudo su postgres
Then I run:
psql -U postgres your_database_name -c 'create extension hstore;'
Now I can alter table your_database_name and add hstore type columns in it.
Connect to your database
psql -d your_database_name -U your_user_role
And
alter table your_table_name add your_column_name HSTORE;
Though there might be saveral different ways to do it, but I solve it in this way.
Hope this will help novice users like me.
A fresh installation of PostgreSQL 9.3 (according to the YUM Installation manual on the PostgreSQL wiki) on CentOS 6 (64-bit) will not grant permissions to any users.
I log in to the postgres user and open psql, then I create a role for my default user:
CREATE ROLE <name> WITH PASSWORD '<password>';
and then try to grant it privileges on the default postgres database:
GRANT ALL ON DATABASE postgres TO <user>;
which gives the expected output, but the user does not have any permissions on postgres.
The output of \dp <user> is quizically empty as well. Additional testing shows that I cannot give any users permissions. However, when I try to drop a role that has been granted these nonexistent permissions, it says
ERROR: role "<user>" cannot be dropped because some objects depend on it
DETAIL: privileges for database postgres
I am at a loss. I did also check to make sure the postgres Linux user has the appropriate file permissions on the PostgreSQL data directory.
Presumably you're expecting too much of GRANT ALL ON DATABASE postgres TO <user>;
ALL in this context means that the command is equivalent to:
GRANT CREATE,CONNECT,TEMPORARY ON DATABASE postgres TO <user>;
And the way you create the ROLE, it cannot login to any database anyway (you can check this with \du).
It could if it was created with:
CREATE ROLE name WITH LOGIN PASSWORD 'pass';
or use ALTER ROLE name WITH LOGIN later on.
Starting from this, to give the user permissions to create objects in the database, other forms of GRANT should be used.