| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Insufficient attention to security in contrib (mostly) |
| Date: | 2007-08-28 05:49:14 |
| Message-ID: | 18591.1188280154@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> Hmmm ... execept we're not requiring even permission on *one* DB in the
> tablespace are we?
The status-quo-ante was that any user could get the number for any
database and/or any tablespace. I'm prepared to admit that what I
committed is too strong, but no restriction at all still seems too weak.
> How difficult would it be to require
> that the requestor have CONNECT on at least one DB in the tablespace?
... in particular, that restriction seems pretty content-free for most
practical layouts. And it's got interesting security behaviors:
DBA A, by more-or-less innocently allowing some tables in his database B
to be created in tablespace C, might be allowing his unrelated user D to
find out info about some other database E that shares use of C. I'd
like there to have to be some direct, intended connection of D to E
before D can measure E's size ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Albe Laurenz | 2007-08-28 08:14:17 | Re: [GENERAL] Undetected corruption of table files |
| Previous Message | Josh Berkus | 2007-08-28 05:32:36 | Re: Insufficient attention to security in contrib (mostly) |