Discussion:
Opinion wanted: Default select rights for users via public schema
(too old to reply)
Tom Lane
2003-12-22 15:21:09 UTC
Permalink
I found that all users have access to pg_class etc. by default. In my
opinion this causes some security questions or at least can make users
curious about things they should not.
This isn't going to change, because it would break too many clients
(as indeed you just found out). Give users their own databases if you
feel you need that much separation.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ***@postgresql.org
Bruno Wolff III
2003-12-27 04:14:13 UTC
Permalink
On Fri, Dec 26, 2003 at 15:39:00 +0100,
I see. But sometimes your solution is not possible. E.g. if I have a
critical application (banking?) and several kind of users on it. Some
users should NOT know, what is also around them but they have to use the
application. And if they know little about the rdbms they will find
things, they should not know, and they will be interested in and they
will search for knowing what is in, and so on....
It is unlikely that keeping the table structure secret is of much
importance. They can get that by several means (like running the
application under a debugger).

In some cases you might not want people to know the approximate number
of rows in some tables or other things you can find out from the
catalogs. But in general this won't be true. And I wouldn't expect
business applications to be one of the areas where this is likely to
be a problem.
In my opinion this is a (dd) design error done longe time ago. Now it
depends where do we want to go with PostgreSQL. In my opinion with this
"bug" (and some others) we will allways have the image of "little boys
(and girls) playing little around with rdbms.
I disagree. The current system allows for flexibility in the clients.
You can get information from the catalogs without having to have a special
function created for each type of information you want to get. (And
even that wouldn't really solve your problem since information will
leak via timing.)
Would it not be possible, e.g. to say we have a new interface now (e.g.
pg_tables, user_tables, all_tables and so on) and application should now
use the new interface and the old interface will outage in 2 or 3 years.
Otherwise we will never get rid of this problems.
I think writing a proxy between the database and your applications may
be a better solution if you only want to provide very limited access
to the database.

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ***@postgresql.org so that your
message can get through to the mailing list cleanly

Loading...