REVOKE does not work!

#1

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?
PS: sorry for bad English, I am not English mother tongue.

#2

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#3

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#4

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#5

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#6

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#7

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#8

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#9

Coniglio Sgabbiato schrieb:

Quote:

Hi, I created a new role as owner of a new schema that is different from
the public one. The new role wasn't created as superuser. Some time
after I granted the SELECT to this role on some tables of public schema.
I was scared to notice that the new role can create new tables on public
schema even it cannot do any update on the former existent public schema
tables. I tried to explicitly revoke the create right on public schema
but it does not work, any clue? why such weird behavior of Postgres? am
I making any mistake or Postgres just sucks so much on privileges
management?

Well you should tell us how you created the new login role:-)

Quote:

PS: sorry for bad English, I am not English mother tongue.

#10

Coniglio Sgabbiato <nobody (AT) nowhere (DOT) it> wrote:

Quote:

am I making any mistake or Postgres just sucks so much on privileges
management?

Most of the people who read this newsgroup are somewhat partial to
PostgreSQL.

It is a fairly annoying, alas frequently encountered, practice to attack
the theme of a newsgroup in a non-technical fashion in the hope to
elicit information from people who feel tempted to run to the aid of
the thusly abused.

Common baits along this line are "is it possible that PostgreSQL cannot
do this when SQL Server can" or the one you used above.

So, sorry for being so uncouth, but it's not PostgreSQL that sucks on
privilege management, it is you.

And maybe you should REVOKE CREATE ON SCHEMA PUBLIC FROM PUBLIC if you
don't want everybody to be allowed to create tables in that schema.

These things are well described in the documentation:
http://www.postgresql.org/docs/curre...L-SCHEMAS-PRIV

Yours,
Laurenz Albe