无法删除构成安全风险的postgresql用户

时间:2017-06-23 10:03:14

标签: postgresql security amazon-rds

我们授予第三方软件访问postgresql数据库的权限。在计费纠纷之后,我们现在已经切断了与该公司的关系,但无法删除该用户。我们需要尽快删除此用户,但无法弄清楚如何操作。以下是我们尝试执行此操作时所看到的一些内容:

prod=> drop user evil_user;
ERROR:  role "evil_user" cannot be dropped because some objects depend on it
DETAIL:  owner of default privileges on new relations belonging to role evil_user

prod=> reassign owned by evil_user to root;
ERROR:  permission denied to reassign objects

prod=> drop role evil_user;
ERROR:  role "evil_user" cannot be dropped because some objects depend on it
DETAIL:  owner of default privileges on new relations belonging to role evil_user
                         ^
prod=> REVOKE ALL ON ALL TABLES IN SCHEMA PUBLIC FROM evil_user;
REVOKE

prod=> drop role evil_user;
ERROR:  role "evil_user" cannot be dropped because some objects depend on it
DETAIL:  owner of default privileges on new relations belonging to role evil_user

prod=> REVOKE ALL ON SCHEMA public FROM evil_user;
REVOKE

prod=> REVOKE ALL ON DATABASE prod FROM evil_user;
REVOKE

prod=> reassign owned by evil_user to root;
ERROR:  permission denied to reassign objects

prod=> drop user evil_user;
ERROR:  role "evil_user" cannot be dropped because some objects depend on it
DETAIL:  owner of default privileges on new relations belonging to role evil_user
                                      ^
prod=> ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES     FROM evil_user;
ALTER DEFAULT PRIVILEGES

prod=> drop user evil_user;
ERROR:  role "evil_user" cannot be dropped because some objects depend on it
DETAIL:  owner of default privileges on new relations belonging to role evil_user

prod=> reassign owned by evil_user to root;
ERROR:  permission denied to reassign objects

我们需要让这些人离开我们的数据库。由于种种原因,我们无法轻易转移到新的Postgres实例。

2 个答案:

答案 0 :(得分:1)

import ----
import ----

let workerService = new WorkerService();
let creatWorkerPromise = Promise.promisify(workerService.createWorkers);

creatWorkerPromise()
.then(function(){
    let kafkaService =  new KafkaService(kafkaConfig, workerService);
})
.catch(function (err: any) {
    console.log('Error while creating workers:', err);
});

您必须以postgres超级用户帐户执行此操作,通常是用户 prod=> reassign owned by evil_user to root; ERROR: permission denied to reassign objects

答案 1 :(得分:0)

在没有超级用户帐户的情况下使用REASSIGN时,存在不直观的权限要求,例如在RDS和Cloud SQL上,但是只要您的current_user拥有GRANT evil_user TO prod的权限,就可以。请参阅另一篇我回答相同问题的文章:https://stackoverflow.com/a/62557497/79079

相关问题
最新问题