| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | Willy-Bas Loos <willybas(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Unauthorized users can see db schema and read functions |
| Date: | 2007-01-30 09:38:05 |
| Message-ID: | 45BF11FD.6080408@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Willy-Bas Loos wrote:
> Hi,
>
> I've noticed that any user who can logon to a db cluster can read the
> schema
> of all databases in it, including the code of all plpgsql functions.
> Even in
> schema's he/she doesn't have access to.
[snip]
> o Why is schema information not restricted?
> o Is there any way to prevent this, other than starting another cluster
> for
> this user's database
The short answer is "because it's always been this way".
The long answer is that users are per-cluster not per-database. So, they
need a certain amount of access to the system tables just to connect and
do anything. Now, in some cases there are views over the system tables
that provide restricted access (compare pg_user to pg_shadow) but they
aren't everywhere.
However, you can use pg_hba.conf to restrict access to a database entirely.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrus | 2007-01-30 09:57:54 | Re: How to allow users to log on only from my application |
| Previous Message | Joris Dobbelsteen | 2007-01-30 09:32:34 | Re: Unauthorized users can see db schema and read functions |