Re: Catalog Security WAS: Views, views, views: Summary

From: Russell Smith <mr-russ(at)pws(dot)com(dot)au>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Catalog Security WAS: Views, views, views: Summary
Date: 2005-05-14 02:25:01
Message-ID: 200505141225.01741.mr-russ@pws.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, 14 May 2005 04:34 am, Andrew Dunstan wrote:
>
> Andrew - Supernews wrote:
>
> >>
> >>1) The "ISP" case, where you want to hide all catalog information from the
> >>users except the database owner or superuser.
> >>
> >>
> >
> >I don't believe this is ever feasible in practice, since client interfaces
> >at any level higher than libpq will need to access metadata corresponding
> >to the data they are retrieving.
> >
> >
> >
>
> In the general case you might well be right. Following a scheme like I
> have in mind is not something that would be transparent to the
> application - it will probably impose some serious limits on the app.
> The little sample application I did for testing did everything by stored
> procedure. Anyway, as I said, it's a project for the future.
>
From a general user point of view, I do not know the system catalogs very
well. I am very unsure of what level of information is available to every
user on the system.

- Which parts of other databases can be seen by users?
- What is the best method to restrict connections to db's people don't have
permissions to.
- Is there some restrictions you can place on tables people don't have access
too. Otherwise they can see all the columns and table info.

These are just some of the questions I have, I'm not sure where to get
answers, searching the archives may help, but it's definitely not a final
answer. Especially since this stuff would be a moving target with each
version change of PostgreSQL.

Tom mentioned that he had not had these security concerns raised before. From
my point of view I just have no idea about the level of information offered
to any given user and am scared to run PostgreSQL in an ISP shared
environment because of it. I am sure I can secure people from connecting to
a db by refusing them access in pg_hba.conf. But I'm unsure of exactly what
that buys me, and what is doesn't.

A hardening script would be helpful, but some clear information on what is
also available to the average user would be good too. I know I should
probably step up to do this and don't have time at the moment. I'm sure if I
did, I would also miss a great number of things.

Regards

Russell Smith

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2005-05-14 02:39:38 Re: Catalog Security WAS: Views, views, views: Summary
Previous Message Greg Sabino Mullane 2005-05-14 00:12:07 Re: libpq lo_open errors when first action in connection