Having gotten used to Oracle 8.1 Postgres seems a bit puny. However, it is
clearly a compentent little ORDBMS with an unbeatable Initial Cost of
Ownership.
Unfortunately, all the documentation seems to indicate that security is weak
to the point of non-existance. To secure a Pgsql database secure the *NIX
box where it lives and let no one but the Sys Admin, DBA, very trusted
developers (and trusted code) have user accounts on the database. Everyone
else connects through a trusted application or not at all.
Most important, I can't find anyway to keep a normal user from creating
tables, indexes or other objects. Furthermore, it looks like a user defaults
to access to objects. Just as bad, Postgres has no extensions to SQL-92/99
security so GRANT/REVOKE must be done object by object.
I write this in the hope that I am thoroughly mistaken and some kind citizen
will correct my errors.
(text/plain)