Skip site navigation (1) Skip section navigation (2)

Securing table creation

From: GH <grasshacker(at)over-yonder(dot)net>
To: pgsql-novice(at)postgresql(dot)org
Subject: Securing table creation
Date: 2000-11-15 22:45:23
Message-ID: 20001115164523.A13060@over-yonder.net (view raw or flat)
Thread:
Lists: pgsql-novice
How are Postgres administrators (e.g. ISPs) securing table creation?

As I see it, any user may create tables under any database (except
Postgres system catalogs) whether they are meant to be allowed to or 
are not. Is this  accurate? I do not see any way to define permissions
for a database regarding creating tables under that database. 

This seems like a security flaw. Is that the case?
Suppose there exists a multi-user webserver. There are many 
users who have access to Postgres, but not to everything within 
Postgres. If there is among the users one that is hostile 
(or uncareful) it seems to be possible for this user to create tables 
under any database...and insert data into that table. Of course, reads 
and writes to existing tables is managed by grants, but not table
creation. 

Is there a way around this?
I hope to (almost have to) use strictly database-based authentication
(i.e. without using external password files). 
It seems that tables can be created under any database regardless of the
authentication setup in pg_hba.conf (e.g. using a seperate password file
for each database, database-based passwords, etc.). 

I thank you.

gh



Responses

pgsql-novice by date

Next:From: GHDate: 2000-11-15 23:19:48
Subject: Re: Securing table creation
Previous:From: Larry RosenmanDate: 2000-11-15 20:26:04
Subject: Re: Granting Browser Access to pgsql database.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group