From: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Russell Smith <mr-russ(at)pws(dot)com(dot)au>, Andrew Dunstan <andrew(at)dunslane(dot)net>, andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Catalog Security WAS: Views, views, views: Summary |
Date: | 2005-05-14 09:12:27 |
Message-ID: | 4285C0FB.6090604@familyhealth.com.au |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
>>Tom mentioned that he had not had these security concerns raised before. From
>>my point of view I just have no idea about the level of information offered
>>to any given user and am scared to run PostgreSQL in an ISP shared
>>environment because of it. I am sure I can secure people from connecting to
>>a db by refusing them access in pg_hba.conf. But I'm unsure of exactly what
>>that buys me, and what is doesn't.
>
> It's certainly also a concern of mine that any given use can see every
> table in the database. I see that as a definite problem and just
> assumed it was already on the radar and something that was planned to be
> fixed. It astounds me that the claim is that such security is
> impossible.
>
> It bothers me a great deal that I can't control very easily what a given
> user can see when they connect over ODBC or via phppgadmin in terms of
> schemas, tables and columns. I fixed this in application code in
> phppgadmin but that's clearly insufficient since it doesn't do anything
> for the other access methods.
Modifiying phpPgAdmin is useless - people can query the catalogs manually.
Hackers - we get an email about information hiding in shared
postgresql/phppgadmin installations at least once a fortnight :)
Chris
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2005-05-14 12:55:17 | Re: Catalog Security WAS: Views, views, views: Summary |
Previous Message | Alvaro Herrera | 2005-05-14 05:30:53 | Re: Permissions not removed when group dropped |