| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: unprivileged user |
| Date: | 2009-12-10 22:20:06 |
| Message-ID: | 4B217416.4000008@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
>
>> The other day I returned idly to thinking about some work I did a few
>> years ago on creating a totally unprivileged user, i.e. one with not
>> even public permissions.
>>
>
> And the point would be what exactly?
>
>
>
Well, when I was looking at it originally it was in the context of a
layered security setup, where we wanted to minimise the danger from a
client machine (say a web server) being subverted. The reasoning was
that if the subverted user had no access to the database layout, but had
only access to a very tightly defined set of stored functions, it would
be harder to devise attacks against the database. It might be argued
that this is security by obscurity, but obscurity does have some uses,
albeit never as a complete security mechanism.
Some time later it came up again, this time when someone wanted to use a
readonly database (hence no pg_dump required) with an application and
wanted to keep the database layout and the source code of stored
functions hidden as they regarded it as proprietary information.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Mielke | 2009-12-10 22:24:08 | Re: Adding support for SE-Linux security |
| Previous Message | David P. Quigley | 2009-12-10 22:13:18 | Re: Adding support for SE-Linux security |