Re: Disable databse listing for non-superuser (\l) ?

Bill Moran schrieb:
> Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> wrote:
>> On Fri, Jul 24, 2009 at 5:02 PM, Brian A.
>> Seklecki<lavalamp(at)spiritual-machines(dot)org> wrote:
>>> All:
>>>
>>> Any suggestions on how-to, or comments on a potential NFR, to disable
>>> non-superuser's from viewing the database list via \l?
>> So, is this a misguided attempt at security through obscurity, or are
>> you looking at limiting the noise that users see when they look at
>> databases?
>
> I don't know about misguided, Scott. Security takes many forms.
>
> If a client wants shared database hosting, but wants an assurance that
> other clients using the same shared DB server can't tell who else is
> using it?
>
> It's not security in the strict computer-science definition. Obviously,
> if the proper ownerships and grants don't exist to protect the data, in
> addition to said obscurity, then the whole thing is pointless. But such
> obscurity _in_addition_ to proper, real security, has show usefulness
> in many areas.
>
> Take a properly secured SSH server, for example, and move it to an obscure
> port #. Now you've reduced the number of mindless bots looking for
> unprotected root accounts, and your IDS solution that monitors the ssh
> logs is actually useful. Of course, that's only effective if ssh is
> properly secured to begin with.
>
> Similar concept.
>
> Many clients want the cost-effectiveness of shared DB hosting. Many of
> them also want it kept under wraps that they're doing so. The provider
> that can do such a thing gets the contract. Those that complain about
> "it's not security, it's obscurity" do not get the contract.
>
> I mean, didn't Apple just kill someone for letting their new iPhone
> design leak?

this is now going off topic - but what do you mean with your last sentence?

Cheers

Andy