Skip site navigation (1) Skip section navigation (2)

Re: prevent users from seeing pl/pgsql code in pgadmin

From: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
To: "Merlin Moncure" <merlin(dot)moncure(at)rcsonline(dot)com>
Cc: <pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: prevent users from seeing pl/pgsql code in pgadmin
Date: 2005-03-16 17:05:38
Message-ID: E7F85A1B5FF8D44C8A1AF6885BC9A0E472BBD0@ratbert.vale-housing.co.uk (view raw or flat)
Thread:
Lists: pgadmin-hackers
 

> -----Original Message-----
> From: Merlin Moncure [mailto:merlin(dot)moncure(at)rcsonline(dot)com] 
> Sent: 16 March 2005 16:54
> To: Dave Page
> Cc: pgadmin-hackers(at)postgresql(dot)org
> Subject: RE: [pgadmin-hackers] prevent users from seeing 
> pl/pgsql code in pgadmin
> 
> > > I also tried hacking the search path and putting a pg_proc table
> into
> > > the public schema. While this fixed select * from pg_proc
> > > (but not /df),
> > > pgAdmin still pulled the function source.
> > 
> > Odd - it didn't here. Every query on pg_proc resulted in a 
> message box
> > telling me it couldn't select from pg_proc - protecting the source,
> but
> > breaking pgAdmin.
> 
> What did you do exactly?  Here's what I tried:
> 

REVOKE ALL ON TABLE pg_proc FROM public;

Revoking select doesn't help because your test user doesn't have it in
the first place - public does.

pgadmin=# create user test;
CREATE USER
pgadmin=# create table foo(bar int4);
CREATE TABLE
pgadmin=# select relacl from pg_class where relname = 'foo';
 relacl
--------

(1 row)

pgadmin=# grant select on table foo to test;
GRANT
pgadmin=# select relacl from pg_class where relname = 'foo';
                   relacl
---------------------------------------------
 {postgres=arwdRxt/postgres,test=r/postgres}
(1 row)

pgadmin=# revoke select on table foo from test;
REVOKE
pgadmin=# select relacl from pg_class where relname = 'foo';
           relacl
-----------------------------
 {postgres=arwdRxt/postgres}
(1 row)

pgadmin=# grant select on table foo to public;
GRANT
pgadmin=# select relacl from pg_class where relname = 'foo';
                 relacl
-----------------------------------------
 {postgres=arwdRxt/postgres,=r/postgres}
(1 row)

pgadmin=# revoke select on table foo from test;
REVOKE
pgadmin=# select relacl from pg_class where relname = 'foo';
                 relacl
-----------------------------------------
 {postgres=arwdRxt/postgres,=r/postgres}
(1 row)

Thinking about it - is that a bug or a feature?

Regards, Dave.

pgadmin-hackers by date

Next:From: Merlin MoncureDate: 2005-03-16 17:19:54
Subject: Re: prevent users from seeing pl/pgsql code in pgadmin
Previous:From: Andreas PflugDate: 2005-03-16 16:59:13
Subject: Re: prevent users from seeing pl/pgsql code in

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group