| From: | Mr Dash Four <mr(dot)dash(dot)four(at)googlemail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: strange permission error |
| Date: | 2012-10-03 10:29:30 |
| Message-ID: | 506C138A.3080309@googlemail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> 2. If somebody manages to hijack your connection, you have much worse
> problems than whether they can read your system catalogs. They can at
> least copy, and probably modify, your user data.
If I have restricted those permissions (i.e. access to specific schemas
only, allowing specific operations - like INSERT only on just the tables
needed for that particular db user) how would a user, who hijacked the
connection, be able to "at least copy, and probably modify user data" then?
> The catalogs are
> unlikely to contain anything that's very interesting to an attacker
> who knows enough about your operations to hijack a connection in the
> first place.
>
They give a comprehensive information about the entire structure of the
database - that, at least to me, is good-enough reason to restrict such
an access.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Travers | 2012-10-03 11:06:56 | pros and cons of two security models |
| Previous Message | Chris McDonald | 2012-10-03 08:19:16 | Re: stored procedure multiple call call question |