| From: | Tino Wildenhain <tino(at)wildenhain(dot)de> |
|---|---|
| To: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
| Cc: | Christophe <xof(at)thebuild(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Running untrusted sql safely? |
| Date: | 2009-02-16 07:10:27 |
| Message-ID: | 49991163.3060408@wildenhain.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Scott Marlowe wrote:
> On Sun, Feb 15, 2009 at 4:39 PM, Christophe <xof(at)thebuild(dot)com> wrote:
>> On Feb 15, 2009, at 2:47 PM, Stuart McGraw wrote:
>>
>>> I just hoping for some confirmation that the permissions based approach
>>> did not have some holes in it that I am
>>> not seeing.
>> Another possibility is to create a set of functions that contain the query
>> operations you would like to allow, isolate those in a schema, and make that
>> schema the only thing accessible to the (semi-)trusted users.
>
> I can see that getting complex real fast in a big operation, but for a
> database that runs a few big reporting queries every day or sits on an
> intranet would be workable.
...
And to actually answer Christophes question: yes, granting only
SELECT to a few tables is enough to prevent them doing anything else
in the database. But watch out for the default permissions on the
public schema of all the databases the users are able to connect to.
Regards
Tino
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scara Maccai | 2009-02-16 08:15:47 | left outer join without rows from "left" table |
| Previous Message | Eus | 2009-02-16 02:15:57 | Re: Check for an empty result |