| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
| Cc: | Russell Smith <mr-russ(at)pws(dot)com(dot)au>, Andrew Dunstan <andrew(at)dunslane(dot)net>, andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Catalog Security WAS: Views, views, views: Summary |
| Date: | 2005-05-14 12:55:17 |
| Message-ID: | 20050514125516.GE30011@ns.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Christopher Kings-Lynne (chriskl(at)familyhealth(dot)com(dot)au) wrote:
> >It bothers me a great deal that I can't control very easily what a given
> >user can see when they connect over ODBC or via phppgadmin in terms of
> >schemas, tables and columns. I fixed this in application code in
> >phppgadmin but that's clearly insufficient since it doesn't do anything
> >for the other access methods.
>
> Modifiying phpPgAdmin is useless - people can query the catalogs manually.
It's not entirely *useless*; it's just not a proper fix for the security
issue, I'll grant you that. Personally I found the hack that I did pretty
useful since most of my users aren't likely to go sniffing through the
catalog and it was a temporary workaround for the complaints until
there's a proper fix.
> Hackers - we get an email about information hiding in shared
> postgresql/phppgadmin installations at least once a fortnight :)
I agree with this- it needs to be dealt with and fixed already, once and
for all.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2005-05-14 13:50:09 | Re: Catalog Security WAS: Views, views, views: Summary |
| Previous Message | Christopher Kings-Lynne | 2005-05-14 09:12:27 | Re: Catalog Security WAS: Views, views, views: Summary |