PostgreSQL – Why Can a New User Create Tables?

permissionspostgresql

I followed two tutorials to create a DB with:

a fully privileged user link
a read-only user link

I then got a tip from CJ Estel's tutorial stating that "you may have inherited the ability to create tables even though we never explicitly gave it to our new user". Sure enough, the read-only user is able to create and own tables!

CJ Estel has pointed the root cause very well, namely a template database. But the ability to create tables undermines most tutorials you get from googling "read only user postgres" including one hosted on postgresql.org. Your user has more than read-only privileges!

Why does a new user have this ability? After revoking this privilege, is the database truly read-only for that user?

Best Answer

TL;DR: New users can create tables in the public schema because people complained that it was too hard when they couldn't.

If you dislike the defaults, you should probably create a new template database with the initial configuration that you want. For example, you might:

DROP SCHEMA public;

REVOKE ALL ON SCHEMA public FROM public;
GRANT USAGE ON SCHEMA public TO public;

in your template.

If you wish the public user to have no rights on a database, you should additionally:

REVOKE ALL ON DATABASE mydbname FROM public;
GRANT CONNECT ON DATABASE mydbname TO public;

so that the public user cannot create schemas or use temp tables.

Personally, if I was designing this, I'd give users the TEMP right on the database by default, but not CREATE (schemas in database) or CREATE (tables in the public schema). I'd reserve those for the owner.

They're choices that were made a long time ago, though, and it's pretty hard to change them now.

As it is, there are regular complaints that it's too hard to get started with PostgreSQL because you have to create a user account and often want to create a database too. Why don't we just auto-create them and default to 'trust' as the auth-mode to make it easy? Why doesn't the postgres user default to having the password postgres? Why don't we just auto-create users if they exist in the OS? etc.

There are some genuine usability problems for new users - in particular, most people have no idea what peer auth is, or why just running psql after installing PostgreSQL tells them there's no user by the name they're logged in as.

It's also messy that pg_hba.conf is a config file, but users are created at the SQL level. This split confuses users.

Lots of things, though, are compromises between secure defaults and easy defaults where the project isn't ever going to make everybody happy.

Related Solutions

Postgresql – Number of virtual tables that specified user is able to write queries in PostgreSQL

I try to answer your question - to be correct, I try to answer the question I think you've asked (see the comments). Until then I'll assume that a virtual table is simply a table and you want to count the tables a user has SELECT privilege on.

First, you have to collect all roles which the given user belongs to. This will include the user itself, all roles that are granted to it, all roles that are granted to the roles granted to your user etc., and finally, but usually most importantly, the PUBLIC role.

You can collect these from the information_schema.applicable_roles view with a query like this:

WITH RECURSIVE privs(grantee, role_name) AS (
    SELECT grantee, role_name 
    FROM information_schema.applicable_roles 
    WHERE grantee = 'my_user'

    UNION ALL

    SELECT ar.grantee, ar.role_name
    FROM 
        information_schema.applicable_roles ar 
        JOIN privs ON ar.grantee = privs.role_name
)
SELECT role_name FROM privs

UNION 

SELECT 'my_user'

UNION 

SELECT 'PUBLIC'

Then you have to consult the information_schema.table_privileges view. In order to see all the rows belonging to all grantees, you have to be logged in as a superuser. With an ordinary user you will see only the roles granted to your user (including indirectly granted roles, ie. if the grants are user -> user1 -> user2, you will see user -> user1 and user1 -> user2 if logged in as user, and only user1 -> user2 if logged in as user1.)

Here you can look for tables with SELECT privilege like

SELECT table_name
FROM information_schema.table_privileges
WHERE 
    privilege_type = 'SELECT'
    AND grantee IN (... the recursive query above goes here ...)
;

Turning this into a count is left as an exercise for the reader :)

PostgreSQL – Why New User Can Create Table

When you create a new database, any role is allowed to create objects in the public schema. To remove this possibility, you may issue immediately after the database creation:

REVOKE ALL ON schema public FROM public;

Edit: after the above command, only a superuser may create new objects inside the public schema, which is not practical. Assuming a non-superuser foo_user should be granted this privilege, this should be done with:

GRANT ALL ON schema public TO foo_user;

To know what ALL means for a schema, we must refer to GRANT in the doc, (in PG 9.2 there are no less than 14 forms of GRANT statements that apply to different things...). It appears that for a schema it means CREATE and USAGE.

On the other hand, GRANT ALL PRIVILEGES ON DATABASE... will grant CONNECT and CREATE and TEMP, but CREATE in this context relates to schemas, not permanent tables.

Regarding this error: ERROR: no schema has been selected to create in, it happens when trying to create an object without schema qualification (as in create table foo(...)) while lacking the permission to create it in any schema of the search_path.

Best Answer

Related Solutions

Postgresql – Number of virtual tables that specified user is able to write queries in PostgreSQL

PostgreSQL – Why New User Can Create Table

Related Question