Skip site navigation (1) Skip section navigation (2)

Re: ODBC Driver exposes tables and views that a user does

From: Shachar Shemesh <psql(at)shemesh(dot)biz>
To: "Harris, Richard" <Richard_Harris(at)adp(dot)com>
Cc: pgsql-odbc(at)postgresql(dot)org
Subject: Re: ODBC Driver exposes tables and views that a user does
Date: 2005-05-27 07:28:20
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-odbc
Harris, Richard wrote:

>PostgreSQL server 7.4.2
>psqlODBC driver:
>I created a database user in a postgresql cluster. I granted that user
>SELECT permission to a few views. I created a DSN for that user to
>connect to postgreSQL from a Windows PC. When I use the DSN in MS Access
>to link to the views, the Link Tables list includes many tables and
>views that the user has no permission to access. Is this a defect in the
>ODBC driver? Is there a work around for this?
As far as security models are concerned, a driver should never impose 
the security policy. The reason for that is very simple - bypassing the 
driver will give you access to things you thought were secure. A driver 
should give the user the maximal power available to her. If Postgresql 
allows a user to get a list of views that the user has no permission to 
access, then it's the driver's job to give this list.

If you think this security consideration is wrong, the place to complain 
about that is pgsql-hackers or pgsql-users. There is nothing ODBC can do 
about this.

>Rich Harris

Shachar Shemesh
Lingnu Open Source Consulting ltd.
Have you backed up today's work?

In response to

pgsql-odbc by date

Next:From: Brian J. EricksonDate: 2005-05-27 15:34:29
Subject: IM003 when using ODBC
Previous:From: Jacques I. Peterson, VDate: 2005-05-27 00:54:47
Subject: Breaking News

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group