In PostgreSQL it’s quite easy to restrict access for user to some tables:
- create restrictive view
- grant usage on view schema
- grant select on view to restricted user
Really easy. And it’s not working when the restrictive view, is selecting from another view that is using function(s) ! In that case, you might get very informative error:
ERROR: permission denied for relation <TABLE>
ERROR: permission denied for schema <SCHEMA>
Why ? Well everything works as expected, you have permission to SELECT from that restrictive VIEW and thus you really have some access to the underlying view/table, but function used in that view is still executed with permission of restricted user and therefore you obviously end up with ‘permission denied‘.
Solution for this is simple, force affected function(s) to execute with privileges of user that created it:
ALTER FUNCTION <FUNCTION> SECURITY DEFINER;
See CREATE FUNCTION manual for more info.
I encountered this problem again, so let’s write it down to avoid googling it.
PowerDNS fails to start with
pdns.service: Failed at step ADDRESS_FAMILIES spawning /usr/sbin/pdns_server: Invalid argument
- edit /lib/systemd/system/pdns.service
- comment out RestrictAddressFamilies
- comment out ProtectSystem=full
- possibly kill systemd-resolved
- systemctl daemon-reload
- ask yourself again, why are you using debian with systemd on server ? And why the hell it is starting services I’ve never configured to start ? Isn’t it time to switch to windows ? It seems more predictable to me…
tinc is a great mesh Virtual Private Network daemon, with just one little glitch (and also little crypto problems ;-). I find its configuration really tedious and complicated compared to OpenVPN and its possibility to centrally assign IP addresses and push options to clients. I know, that’s the tax for being mesh, but wouldn’t it be great to configure your mesh network a bit centrally ?
Here is my solution for making Amlogic S812 based Beelink MXIII Plus Android TV Box work with Logitech Harmony universal remote. It’s based on solution described on this forum post, but modified to make it easier to use (if your Harmony remote is able to learn new IR commands).
Sometime it’s needed to selectively route specified IPs or networks via different interface – i.e. if you want to route private addresses over VPN (a.k.a split tunnel routing) or to route some public IPs over VPN to unblock some nationally restricted sites (Netflix). Here are simple scripts to achieve this.