Revoke access to postgres database for a role

7
votes

I have created a separate role "newrole" and new schema "newschema" for a certain user that should only execute some stored functions. I have managed to revoke access to schema "public" for the current database.

Logged in as "newrole" I still have access to postgres database like this:

SELECT * FROM pg_user

I want to revoke all access to the postgres database and tried following that not work:

REVOKE ALL ON DATABASE postgres FROM newrole

When logged in as newrole I can still read the postgres database.

How do I revoke any access to the postgres admin database?

I have searched a long time but not found anything regarding access to the postgres admin database.

TIA,

2
postgresqlpostgresql-9.4
What user do you want to remove? All users?Trevor Clarke
Only the "newrole". Normal users does not access the database directly and sometimes need access to the postgres database for other reasons.sibert
I believe the connect privilege needs to be specified, try REVOKE connect ON DATABASE [dbname] FROM publicLucas

2 Answers

8
votes

This issue has nothing to do with database postgres. Instead, you want to manipulate the catalog of the current database. Every database has a catalog of information on all objects in schema pg_catalog, and in standards-compliant form in schema information_schema, so you should restrict access to those for the role in question and also for the public role because every role is also member of that role:

REVOKE ALL PRIVILEGES ON SCHEMA pg_catalog FROM newrole;
REVOKE ALL PRIVILEGES ON SCHEMA pg_catalog FROM public;
REVOKE ALL PRIVILEGES ON SCHEMA information_schema FROM newrole;
REVOKE ALL PRIVILEGES ON SCHEMA information_schema FROM public;

However, the system does not always honour this accross-the-board restriction, the catalogs are there for a reason and provide important functions in the database. Particularly functions may still execute.

In general, you do not want to fiddle with the catalogs unless you really know what you are doing.

3
votes

you should be able to run this:

select *  FROM information_schema.table_privileges where grantee = 'newrole';

to display all the privileges for newrole. With that information you should be able to explicitly revoke everything other than access to 'newschema'