[rt-users] RT setup and Postgres object ownership

Thomas Sibley trs at bestpractical.com
Mon Nov 26 18:02:53 EST 2012


On 11/26/2012 02:50 PM, Darren Spruell wrote:
> I don't understand how the default ownership/rights after the RT
> setup, done using the postgres superuser (DBA), allow the RT user to
> have read/write access to RT objects.

RT runs the etc/acl.Pg file during install and etc/upgrade/*/acl.Pg
during upgrade.  This file generates GRANT commands to run for the
application user.  See the output of "\dp" in psql for what permissions
are currently granted.

There are similar acl.* files for other database types, as necessary.

> I'm guessing this is more a a postgres access privileges topic than a
> RT topic - but curious how the application DB user has privileges to
> these objects, and also why the default installation doesn't set the
> app user (rt_user) as the owner of the database and then allow
> inheritance to set ownership on child objects.

Making the application user the owner would allow the user to do much,
much more than the SELECT, INSERT, UPDATE, and DELETE currently allowed
of it.  It's poor practice to give the application user more privileges
than necessary in case the front end is compromised by a malicious user.



More information about the rt-users mailing list