| From: | "Goeke, Tobias" <TGoeke(at)ElectronicPartner(dot)de> |
|---|---|
| To: | Marko Ristola <marko(dot)ristola(at)kolumbus(dot)fi>, Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-odbc(at)postgresql(dot)org |
| Subject: | Re: Ignoring the limited user-rights by using ODBC |
| Date: | 2005-03-31 10:14:50 |
| Message-ID: | 72F45784D0E25A429B21E156EAEFE5E3E5523A@muenchen.ep.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
The crux is that the \d commands in psql does not necessarily define
the scope of a user's access privileges. (referring to Peter Eisentraut)
So there can't exist a solution for my "problem" (better wish!) because the
user must read out of the other tables in the views.
I should accept it that they are shown in the choice via odbc.
Thanks a lot for helping me!
Tobias Goeke
-----Ursprüngliche Nachricht-----
Von: Marko Ristola [mailto:marko(dot)ristola(at)kolumbus(dot)fi]
Gesendet: Mittwoch, 30. März 2005 20:48
An: Peter Eisentraut
Cc: Goeke, Tobias; pgsql-odbc(at)postgresql(dot)org
Betreff: Re: [ODBC] Ignoring the limited user-rights by using ODBC
I remember from some other databases, that
the schema is not for security. It is for application
logic:
If you have marko.branch and users.branch
tables, you can link to both by
select * from marko.branch
union
select * from users.branch
You can revoke rights from the tables with the following commands:
revoke all from marko on marko.branch;
revoke all from marko on users.branch;
After these, "marko" user is not able to read, or write into the tables.
You can play with the schema like this with ODBC:
set search_path to marko,public; -- the new schema is "marko"
select * from branch; /* points into marko.branch */
set search_path to users,public;
select * from branch; /* points into users.branch */
Read or write rights (grant/revoke) for the table and
visibility (naming, search path, namespace, schema) of the table
name are a different thing.
Marko Ristola
Peter Eisentraut wrote:
>Goeke, Tobias wrote:
>
>
>>If i connect to the database via obdc with this user, all schemes are
>>shown. So i am able to select all the tables and views e.g. in excel,
>>although the user isn't autorized.
>>
>>
>
>It is not possible that the ODBC driver can circumvent privileges that
>would otherwise apply. Please provide a detailed way to reproduce your
>problem.
>
>Note that what the \d commands in psql show does not necessarily define
>the scope of a user's access privileges. It merely shows what might be
>of interest to the user.
>
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Luis Sousa | 2005-03-31 13:32:53 | UPDATE problem |
| Previous Message | Bruce Momjian | 2005-03-31 04:16:21 | Re: Driver maintenance continuation |