Skip site navigation (1) Skip section navigation (2)

Re: prevent users from seeing pl/pgsql code in pgadmin

From: "Merlin Moncure" <merlin(dot)moncure(at)rcsonline(dot)com>
To: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
Cc: <pgadmin-hackers(at)postgresql(dot)org>,<pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: prevent users from seeing pl/pgsql code in pgadmin
Date: 2005-03-16 17:19:54
Message-ID: 6EE64EF3AB31D5448D0007DD34EEB3412A764E@Herge.rcsinc.local (view raw or flat)
Thread:
Lists: pgadmin-hackers

> -----Original Message-----
> From: Dave Page [mailto:dpage(at)vale-housing(dot)co(dot)uk]
> Sent: Wednesday, March 16, 2005 12:06 PM
> To: Merlin Moncure
> Cc: pgadmin-hackers(at)postgresql(dot)org
> Subject: RE: [pgadmin-hackers] prevent users from seeing pl/pgsql code
in
> pgadmin
> 
> 
> 
> > -----Original Message-----
> > From: Merlin Moncure [mailto:merlin(dot)moncure(at)rcsonline(dot)com]
> > Sent: 16 March 2005 16:54
> > To: Dave Page
> > Cc: pgadmin-hackers(at)postgresql(dot)org
> > Subject: RE: [pgadmin-hackers] prevent users from seeing
> > pl/pgsql code in pgadmin
> >
> > > > I also tried hacking the search path and putting a pg_proc table
> > into
> > > > the public schema. While this fixed select * from pg_proc
> > > > (but not /df),
> > > > pgAdmin still pulled the function source.
> > >
> > > Odd - it didn't here. Every query on pg_proc resulted in a
> > message box
> > > telling me it couldn't select from pg_proc - protecting the
source,
> > but
> > > breaking pgAdmin.
> >
> > What did you do exactly?  Here's what I tried:
>

Ah. Ok, yes this certainly breaks pgAdmin.  And true function code
protection on the server side seems pretty nasty without some serious
hacking.

What about this: do think pgAdmin should prevent rendering the sql code
for various database schema objects (but especially functions) if the
pgAdmin user does not have appropriate access to that object?

For example, if user does not have the 'execute' permission, disable sql
render of the function object.  I think this is pretty reasonable from a
security standpoint until such time that the server gets this
capability.

Merlin

pgadmin-hackers by date

Next:From: Merlin MoncureDate: 2005-03-16 17:24:12
Subject: Re: prevent users from seeing pl/pgsql code in pgadmin
Previous:From: Dave PageDate: 2005-03-16 17:05:38
Subject: Re: prevent users from seeing pl/pgsql code in pgadmin

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group