| From: | Russell Smith <mr-russ(at)pws(dot)com(dot)au> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Catalog Security WAS: Views, views, views: Summary |
| Date: | 2005-05-14 02:25:01 |
| Message-ID: | 200505141225.01741.mr-russ@pws.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, 14 May 2005 04:34 am, Andrew Dunstan wrote:
>
> Andrew - Supernews wrote:
>
> >>
> >>1) The "ISP" case, where you want to hide all catalog information from the
> >>users except the database owner or superuser.
> >>
> >>
> >
> >I don't believe this is ever feasible in practice, since client interfaces
> >at any level higher than libpq will need to access metadata corresponding
> >to the data they are retrieving.
> >
> >
> >
>
> In the general case you might well be right. Following a scheme like I
> have in mind is not something that would be transparent to the
> application - it will probably impose some serious limits on the app.
> The little sample application I did for testing did everything by stored
> procedure. Anyway, as I said, it's a project for the future.
>
From a general user point of view, I do not know the system catalogs very
well. I am very unsure of what level of information is available to every
user on the system.
- Which parts of other databases can be seen by users?
- What is the best method to restrict connections to db's people don't have
permissions to.
- Is there some restrictions you can place on tables people don't have access
too. Otherwise they can see all the columns and table info.
These are just some of the questions I have, I'm not sure where to get
answers, searching the archives may help, but it's definitely not a final
answer. Especially since this stuff would be a moving target with each
version change of PostgreSQL.
Tom mentioned that he had not had these security concerns raised before. From
my point of view I just have no idea about the level of information offered
to any given user and am scared to run PostgreSQL in an ISP shared
environment because of it. I am sure I can secure people from connecting to
a db by refusing them access in pg_hba.conf. But I'm unsure of exactly what
that buys me, and what is doesn't.
A hardening script would be helpful, but some clear information on what is
also available to the average user would be good too. I know I should
probably step up to do this and don't have time at the moment. I'm sure if I
did, I would also miss a great number of things.
Regards
Russell Smith
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2005-05-14 02:39:38 | Re: Catalog Security WAS: Views, views, views: Summary |
| Previous Message | Greg Sabino Mullane | 2005-05-14 00:12:07 | Re: libpq lo_open errors when first action in connection |