Re: Insufficient attention to security in contrib (mostly)
| От | Josh Berkus |
|---|---|
| Тема | Re: Insufficient attention to security in contrib (mostly) |
| Дата | |
| Msg-id | 200708272232.36291.josh@agliodbs.com обсуждение исходный текст |
| Ответ на | Re: Insufficient attention to security in contrib (mostly) (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Insufficient attention to security in contrib (mostly)
|
| Список | pgsql-hackers |
Tom, > Now you can argue that approximate database size information simply > isn't that useful to an attacker, and maybe that's true. But are > we prepared to make a policy decision that we aren't going to try to > protect such information at all? But it's not making *no* attempt. This is a special case; it only applies when a limited number of databases share the same tablespace. If the admin is concerned about protecting private info about database size, then either put the DBs in separate tablespaces, or make sure there's so many dbs in the tablespace that no useful information can be derived. Hmmm ... execept we're not requiring even permission on *one* DB in the tablespace are we? That *is* an issue. How difficult would it be to require that the requestor have CONNECT on at least one DB in the tablespace? Like by requiring them to be connected to that DB, or to be the Superuser? -- Josh Berkus PostgreSQL @ Sun San Francisco
В списке pgsql-hackers по дате отправления: