| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Saimon Lim <aimon(dot)slim(at)gmail(dot)com> |
| Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to hide stored procedure's bodies from specific user |
| Date: | 2015-02-13 14:39:43 |
| Message-ID: | CAHyXU0yjw2gBMgdEp7YkSWMQubimA0c+BYvOmxqRn38FxtadKw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 13, 2015 at 5:17 AM, Saimon Lim <aimon(dot)slim(at)gmail(dot)com> wrote:
> Thanks for your help
>
> I want to restrict some postgres users as much as possible and allow them to
> execute a few my own stored procedures only.
>
> If I block access using:
>
> REVOKE ALL ON pg_catalog.pg_proc FROM PUBLIC;
> REVOKE ALL ON FUNCTION pg_catalog.pg_get_functiondef(oid) FROM PUBLIC;
>
> the user will fail to select procedure's body from pg_catalog.pg_proc and
> using psql \sf of \ef.
> Is this method correct?
[FYI -- please try to avoid top-posting]
That is correct. However, I'm not guaranteeing that it's a 100% clean
solution...there may be other loopholes you have to close also. For
example, if you get an unhandled error inside a function the database
will send the error context back to the client. Basically you're
playing 'whack-a-mole' -- however, it's not too difficult to hide
stored procedure bodies from the *casual observer* if you take certain
precautions.
A stronger approach would be write a wrapper to pl/pgsql that
encrypted the function bodies (this is not trivial), or to write them
in C as John noted.
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G Johnston | 2015-02-13 14:47:55 | Re: infinite recursion detected in rules for relation |
| Previous Message | Bill Moran | 2015-02-13 14:27:54 | Re: Unknown error while running <> postgresql_installer_dc46cfee2c\getlocales.exe |