Thread: REVOKE CONNECT doesn't work in 8.3.5
Hi, It seems REVOKE CONNECT doesn't work as advertised. I have "trust" entries in pg_hba.conf because my machine is closed. I added some PG users, and one of them was used in: REVOKE CONNECT ON DATABASE zozo FROM hs; However, user "hs" can happily connect to database "zozo" despite the REVOKE. Documentation says at http://www.postgresql.org/docs/8.3/interactive/sql-grant.html : CONNECT Allows the user to connect to the specified database. This privilege is checked at connection startup (in addition to checking any restrictions imposed by pg_hba.conf). To me, this means that REVOKE CONNECT is a veto over "trust". Is it not? Best regards, Zoltán Böszörményi -- Bible has answers for everything. Proofs: "But let your communication be, Yea, yea; Nay, nay: for whatsoever is more than these cometh of evil." (Matthew 5:37) - basics of digital technology. "May your kingdom come" - superstitious description of plate tectonics ---------------------------------- Zoltán Böszörményi Cybertec Schönig & Schönig GmbH http://www.postgresql.at/
Zoltan Boszormenyi <zb@cybertec.at> writes:
> I have "trust" entries in pg_hba.conf because my machine is closed.
> I added some PG users, and one of them was used in:
> REVOKE CONNECT ON DATABASE zozo FROM hs;
> However, user "hs" can happily connect to database "zozo"
> despite the REVOKE.
Unless you had previously done a specific GRANT CONNECT TO hs,
the above command doesn't do a darn thing. The privilege that
actually exists by default is a grant of connect to PUBLIC.
What you need to do is REVOKE FROM PUBLIC, and then GRANT to
whichever users/groups you want to allow to connect.
regards, tom lane
Tom Lane írta: > Zoltan Boszormenyi <zb@cybertec.at> writes: > >> I have "trust" entries in pg_hba.conf because my machine is closed. >> I added some PG users, and one of them was used in: >> > > >> REVOKE CONNECT ON DATABASE zozo FROM hs; >> > > >> However, user "hs" can happily connect to database "zozo" >> despite the REVOKE. >> > > Unless you had previously done a specific GRANT CONNECT TO hs, > the above command doesn't do a darn thing. The privilege that > actually exists by default is a grant of connect to PUBLIC. > What you need to do is REVOKE FROM PUBLIC, and then GRANT to > whichever users/groups you want to allow to connect. > > regards, tom lane > Thanks very much for the clarification. The documentation doesn't spell it out as clearly. Another possibility is that I can't read and interpret correctly. :-) -- Bible has answers for everything. Proofs: "But let your communication be, Yea, yea; Nay, nay: for whatsoever is more than these cometh of evil." (Matthew 5:37) - basics of digital technology. "May your kingdom come" - superstitious description of plate tectonics ---------------------------------- Zoltán Böszörményi Cybertec Schönig & Schönig GmbH http://www.postgresql.at/