Re: Catalog Security WAS: Views, views, views: Summary

* Christopher Kings-Lynne (chriskl@familyhealth.com.au) wrote:
> >It bothers me a great deal that I can't control very easily what a given
> >user can see when they connect over ODBC or via phppgadmin in terms of
> >schemas, tables and columns.  I fixed this in application code in
> >phppgadmin but that's clearly insufficient since it doesn't do anything
> >for the other access methods.
>
> Modifiying phpPgAdmin is useless - people can query the catalogs manually.

It's not entirely *useless*; it's just not a proper fix for the security
issue, I'll grant you that.  Personally I found the hack that I did pretty
useful since most of my users aren't likely to go sniffing through the
catalog and it was a temporary workaround for the complaints until
there's a proper fix.

> Hackers - we get an email about information hiding in shared
> postgresql/phppgadmin installations at least once a fortnight :)

I agree with this- it needs to be dealt with and fixed already, once and
for all.
Thanks,
    Stephen