| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | josh(at)agliodbs(dot)com |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Insufficient attention to security in contrib (mostly) |
| Date: | 2007-08-27 21:46:25 |
| Message-ID: | 9081.1188251185@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> Tom,
>> That's OK for individual tables, but we have no equivalent concept for
>> whole databases or tablespaces. What do you propose for them?
> CONNECT, of course. There are no permissions for tablespaces except
> CREATE, so presumably if the user can connect to the db, they ought to be
> able to see the size of the tablespaces.
Uh, if you agree that a user shouldn't be able to find out the size of a
table he can't read, why is it OK to find out the size of the database
or tablespace containing it? In typical cases where there's just one or
a few large tables, the latter number would go far towards giving you
the former. For instance, if you are allowed to access all but one
table in a DB, subtraction will give you its size exactly. In the same
way at the next level up, access to tablespace stats would tell a user a
lot about the size of databases he isn't supposed to have access to.
[ thinks for awhile... ]
It does strike me that there's a good reason for not restricting the
table-size functions: anyone who can look at pg_class.relpages can get
a maybe-not-up-to-date version of the same number. There are probably
some corner cases where exact knowledge is more interesting than
approximate knowledge, but it's hard to justify a blanket prohibition.
So maybe we should forget the restriction on the table size functions.
However, the pg_class argument doesn't extend to letting someone find
out the size of a database he's not supposed to be able to get into.
One possibility would be to make the tablespace size function silently
ignore any per-database subdirectories for which the current user
doesn't have CONNECT privilege. I'm not exactly thrilled with that,
though --- functions that silently lie to you are a great foot-gun.
Another idea is to not hardwire any restriction into the C code, but
instead have initdb revoke the default public execute access on the
tablespace size function. It would still work for superusers, and
a particular DBA could choose to grant execute to trustworthy people.
The problem is that you'd have to repeat the grant over and over
(in particular, pg_dump wouldn't save its effects).
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-08-27 21:53:06 | Re: MSVC build system |
| Previous Message | Andrew Dunstan | 2007-08-27 21:38:03 | Re: MSVC build system |