I have a PostgreSQL database on a Debian box and i've (from the shell):
su postgres
createdb dnls
createuser dnls -P
Enter password for new user: somepass [enter]
Enter it again: somepass [enter]
Shall the new user be allowed to create databases? (y/n) n [enter]
Shall the new user be allowed to create more new users? (y/n) n [enter]
After that i added the user/pass/dbname in my Django app settings.py and then i did a manage.py syncdb and django created the tables for my models.
How come the dnls user has read/write permissions to dnls database?
I did not gived him any permissions anywhere.
Does he has access just because the database has the same name as him? This doesn't look secure.
Your new user didn't automatically get read/write permission to your database just because his name is the same as the database. You will find that info if you consult the createdb and createuser man pages.
What IS going on is that even though that user is not the owner, he has rights to read/write to all databases that aren't specifically restricted. This is controlled by the template that is used during the database creation. If you don't like that behavior, you can create your own template and in the future use the template during database creation.