--- checkId: check.db.permissions plugin: stellaops.doctor.database severity: fail tags: [database, postgres, permissions, security] --- # Database Permissions ## What It Checks Inspects the current PostgreSQL user, whether it is a superuser, whether it can create databases or roles, and whether it has access to application schemas. The check warns when the app runs as a superuser and fails when the user cannot use the `public` schema. ## Why It Matters Over-privileged accounts increase blast radius. Under-privileged accounts break startup migrations and normal CRUD paths. ## Common Causes - The connection string still uses `postgres` or another admin account - Grants were not applied after creating a dedicated service account - Restrictive schema privileges were added manually ## How to Fix ### Docker Compose ```bash docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "CREATE USER stellaops WITH PASSWORD '';" docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT CONNECT ON DATABASE stellaops TO stellaops;" docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT USAGE ON SCHEMA public TO stellaops;" docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO stellaops;" ``` Update `ConnectionStrings__DefaultConnection` after the grants are in place. ### Bare Metal / systemd ```bash psql -h -U postgres -d -c "ALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE;" ``` ### Kubernetes / Helm ```bash kubectl exec -n -- psql -U postgres -d -c "\du" ``` ## Verification ```bash stella doctor --check check.db.permissions ``` ## Related Checks - `check.db.migrations.failed` - missing privileges frequently break migrations - `check.db.connection` - credentials and grants must both be correct