Posgres security

[Derek Neighbors]

> I have been looking at PostgreSQL.  
> 
> Having gotten used to Oracle 8.1 Postgres seems a bit puny.  However,
> it is clearly a compentent little ORDBMS with an unbeatable Initial
> Cost of Ownership.

If you want a GPL version of Oracle look at http://www.sapdb.org .  Did
I mention that GNUe supports SAP-DB. ;)  If you need a SAP-DB I have
about 100 or so en route to the house and probably 4 or 5 laying in the
office if you want one.

> Unfortunately, all the documentation seems to indicate that security
> is weak to the point of non-existance.  To secure a Pgsql database
> secure the *NIX box where it lives and let no one but the Sys Admin,
> DBA, very trusted developers (and trusted code) have user accounts on
> the database.  Everyone else connects through a trusted application or
> not at all.

I dont think thats correct, but its neither here nor there you should
use SAP-DB. ;)

> Most important, I can't find anyway to keep a normal user from
> creating tables, indexes or other objects.  Furthermore, it looks like
> a user defaults to access to objects.  Just as bad, Postgres has no
> extensions to SQL-92/99 security so GRANT/REVOKE must be done object
> by object.

This pg_hba.conf is your friend and depending on how you create users
will dictate what they can or cant create by default.

> I write this in the hope that I am thoroughly mistaken and some kind
> citizen will correct my errors.

Postgres is far from perfect, but it can do what you want, unless I have
misunderstood the issues.

-Derek