Postgresql – How to reset object permissions to default

permissionspostgresql

I've just been added to a project using Postgresql 11.4 where database security has been an afterthought. As part of tightening things up, I've used ALTER DEFAULT PERMISSIONS to set sane ACLs on any new objects (schemas, tables, functions, sequences) created. However, there are hundreds of existing objects already in this database with wacko permissions.

Is there a command that will reset the permissions of an object (or group of objects) to the defaults (as seen with \ddp)? Something like the equivalent of REASSIGN OWNED for object ownership, but instead for acls.

Best Answer

The only way I can think of is directly modifying the system catalog tables.

To remove all permissions from s.tab, you can

UPDATE pg_class
SET relacl = NULL
WHERE oid = 's.tab'::regclass;

But then you also have to remove the dependencies between the table and all roles which had privileges on the table:

DELETE FROM pg_shdepend
WHERE classid = 'pg_class'::regclass
  AND refclassid = 'pg_authid'::regclass
  AND objid = 's.tab'::regclass
  AND deptype = 'a';

Needless to say, this is very dangerous, and I cannot guarantee that I didn't forget anything…

Related Solutions

MySQL Permissions Necessary To Reset Password

A user should be able to change his/her own password strictly using SET PASSWORD.

For a connected user to set the new password to mynewpass, just run the following:

mysql> SET PASSWORD = PASSWORD('mynewpass');

According to the MySQL Documentation on SET PASSWORD, if the server is a read-only enabled server, you need SUPER privilege to do this. Otherwise, you can do this any time. There is no need for another user to set someone else's password. If you need a super user to set it you can still use SET PASSWORD.

To set the password of 'someuser'@'10.1.2.30' to hisnewpass, run this:

mysql> SET PASSWORD FOR 'someuser'@'10.1.2.30' = PASSWORD('hisnewpass');

According to the MySQL Documentation on SET PASSWORD, this is the equivalent of:

UPDATE mysql.user SET Password=PASSWORD('hisnewpass')
WHERE User='someuser' AND Host='10.1.2.30';
FLUSH PRIVILEGES;

Using SET PASSWORD does not warrant manipulating mysql.user.

PostgreSQL Group Roles – Understanding and Managing

It sounds like what you probably want is to:

Create a role to own all the common tables and schema, or just use your own if you really will always be the only one with full control of the main tables.
Create another role you intend to give only read-only access to the shared tables and schemas. GRANT that role rights using GRANT SELECT ON ALL TABLES IN SCHEMA [x] for each shared schema. You may also want to ALTER DEFAULT PRIVILEGES to make sure this role has read rights on any new tables created in these schemas too.
Now GRANT each user membership of the read-only access role with INHERIT.
For the private schemas, create a schema the same as the user's username with CREATE SCHEMA [username] AUTHORIZATION [username] or the older style where you create the schema then ALTER SCHEMA ... OWNER TO.

See the postgresql manual for the detailed syntax of all of the above commands. Start with user management, part of the broader database administration topic that includes grant management etc. The PostgreSQL manual is detailed, comprehensive and readable: reading it is strongly recommended.

Best Answer

Related Solutions

MySQL Permissions Necessary To Reset Password

PostgreSQL Group Roles – Understanding and Managing

Related Question