Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
| От | Bruce Momjian |
|---|---|
| Тема | Re: Obfuscated stored procedures (was Re: Oracle and Postgresql) |
| Дата | |
| Msg-id | 200809231952.m8NJqTP05977@momjian.us обсуждение исходный текст |
| Ответ на | Re: Obfuscated stored procedures (was Re: Oracle and Postgresql) ("Merlin Moncure" <mmoncure@gmail.com>) |
| Ответы |
Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
|
| Список | pgsql-general |
Added to TODO under features not wanted:
Incomplete itemObfuscated function source code (not wanted)
Obfuscating function source code has minimal protective benefits
because anyone with super-user access can find a way to view the code.
To prevent non-super-users from viewing function source code, remove
SELECT permission on pg_proc.
---------------------------------------------------------------------------
Merlin Moncure wrote:
> On Tue, Sep 16, 2008 at 9:15 AM, Glyn Astill <glynastill@yahoo.co.uk> wrote:
> >
> > As much as I'm impressed with the "we do it properly or not at all" attitude, it'd be nice if there was an option
tostop the casual user from viewing code.
> >
> > I'll admit to obfusicating bits and pieces using C, even though the function and everything it acts on are tied
downwith permissions. I understand in reality it provides no real extra security but somehow users being able to easily
viewsomething they don't have access to execute beyond it's name just feels wrong.
>
> This is one of those threads that reappears like magic every six
> months or so. The last round of discussion went longer than normal
> including a couple of routes to implementation.
>
> One big reason why nothing hasn't been done is that there is a decent
> 'low tech' obfuscation tactic already: remove select access from
> pg_proc to the user accounts in question and 'public'. This will
> essentially disable casual browsing of procedure code from user
> accounts.
>
> Any real solution should focus on:
> *) key management (any serious discussion with encryption starts here)
> *) other things you can do with function source besides encryption
>
> for example, take a look at one idea I had (not at all vetted, but a start):
> http://archives.postgresql.org/pgsql-performance/2007-12/msg00337.php
>
> merlin
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
В списке pgsql-general по дате отправления: