| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Phil Frost <indigo(at)bitglue(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: lastval exposes information that currval does not |
| Date: | 2006-07-10 18:24:08 |
| Message-ID: | 20060710182408.GH17723@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Jul 10, 2006 at 01:42:27PM -0400, Phil Frost wrote:
> I think that misses the point. One can easily find objects in a schema
> without usage by examining the system catalogs. The point is that there
> are ways to access objects without going through the schema usage check,
> and also that the check is made only once at the time a name is resolved
> to an oid, which may then be cached in a prepared statement, stored
> procedure, lastval, or the like. I would suggest something more like
> this:
Can you SELECT/UPDATE/DELETE from a table knowing only its oid? I'd
like to see that trick. lastval() is an odd case, given the user
doesn't actually supply the oid.
> In applications where security is very important, it may be wise to
> assure that no users have undesired privileges on objects within a
> schema, and not to rely solely on the schema usage privilege.
Indeed, never give priveledges unless you're sure you want people to
have them.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2006-07-10 18:33:51 | Win32 build error |
| Previous Message | Phil Frost | 2006-07-10 17:42:27 | Re: lastval exposes information that currval does not |