Re: pg_largeobject is a security hole

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Philip Warner <pjw(at)rhyme(dot)com(dot)au>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: pg_largeobject is a security hole
Date: 2001-06-27 23:49:26
Message-ID: 22691.993685766@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Philip Warner <pjw(at)rhyme(dot)com(dot)au> writes:
> At 12:27 27/06/01 -0400, Tom Lane wrote:
>> I propose that initdb should do
>> REVOKE ALL on pg_largeobject FROM public

> May have an issue with PG_DUMP, which does a 'select oid from
> pg_largeobject', I think.

Hmm. [sound of grepping] So does psql's \lo_list command. That's
annoying ... the list of large object OIDs is *exactly* what you'd want
to hide from the unwashed masses. Oh well, I'll leave bad enough alone
for now.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Philip Warner 2001-06-27 23:54:14 Re: pg_largeobject is a security hole
Previous Message Philip Warner 2001-06-27 23:25:37 Re: Re: 7.2 items