Re: Unauthorized users can see db schema and read functions

_____

From: pgsql-general-owner(at)postgresql(dot)org
[mailto:pgsql-general-owner(at)postgresql(dot)org] On Behalf Of Willy-Bas Loos
Sent: dinsdag 30 januari 2007 9:41
To: pgsql-general(at)postgresql(dot)org
Subject: [GENERAL] Unauthorized users can see db schema and read
functions

Hi,

I've noticed that any user who can logon to a db cluster can read the
schema of all databases in it, including the code of all plpgsql
functions. Even in schema's he/she doesn't have access to. For tables it
just says 'access denied for schema bla', after which the structure is
still shown to the user. For functions, there is no warning at all, you
can just read (copy, paste) away.
I use pgAdmin3 1.6.2 as a front-end for both linux and windows servers,
but I don't think restricting schema information should be a front-end
responsibility.

o Why is schema information not restricted?

This is a limitation of <= 8.1.x.
In 8.2 the "CONNECT" priviledge was introducted on the database (still
wondering why it was not done earlier).

Probably something similar should be done on the schema's too ;)

o Is there any way to prevent this, other than starting another cluster
for this user's database

* Upgrade to 8.2...
* (Not sure and seems to contradict with your statement) you can
move everything into a different schema, since public will always be
readable, and others can be restricted

People who know it for sure should correct me, of course.
I found the behaviour strange too...

- Joris