| From: | Andrew Chernow <ac(at)esilo(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | user-based query white list |
| Date: | 2008-12-06 18:21:58 |
| Message-ID: | 493AC2C6.3030007@esilo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Looking for a way to limited a user to a specific set of queries. I don't think
this can be done right now ... or can it? Has this feature request surfaced in
the past?
I currently need this as an extra security measure for a libpq client app (want
to block arbitrary queries from malicious attackers). The easiest way I found
was to add some query_string checks into backend/tcop/postgres.c for the 'Q' and
'P' commands in PostgresMain(). Seems to work just fine. If it doesn't match,
I issue an ereport FATAL since that is seen as a "malicious query execution
attempt".
I think it is something rather simple to design/implement (probably use a table
of user allowed queries, support regex matches, etc.. loaded at session startup
and SIGHUP).
--
Andrew Chernow
eSilo, LLC
every bit counts
http://www.esilo.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Grzegorz Jaskiewicz | 2008-12-06 18:25:52 | Re: user-based query white list |
| Previous Message | Robert Haas | 2008-12-06 18:19:05 | benchmarking the query planner (was Re: Simple postgresql.conf wizard) |