| From: | ITAGAKI Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Permission of prepared statements (was: pg_stat_statements) |
| Date: | 2008-06-16 08:04:26 |
| Message-ID: | 20080616162234.752E.52131E4D@oss.ntt.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> We don't have any system-wide names for statements, so this seems
> pretty ill-defined and of questionable value. Showing the text of
> statements in a view also has security problems.
I found we can execute prepared statements and view the sql source through
pg_prepared_statements even after we execute SET SESSION AUTHORIZATION.
Is this an expected behavior?
It is not a problem in normal use because the *real* user is same
before and after changing ROLEs, but we should be careful about
sharing connections between different users in connection pooling.
Almost connection poolings don't do that, though.
Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2008-06-16 09:38:59 | Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses |
| Previous Message | Andrew Sullivan | 2008-06-16 07:20:40 | Re: TODO Item: Allow pg_hba.conf to specify host names along with IP addresses |