Re: Increasing security in a shared environment ...
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Increasing security in a shared environment ... |
| Дата | |
| Msg-id | 40687824.5040000@dunslane.net обсуждение исходный текст |
| Ответ на | Re: Increasing security in a shared environment ... (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Increasing security in a shared environment ...
|
| Список | pgsql-hackers |
Tom Lane wrote: >Andrew Dunstan <andrew@dunslane.net> writes: > > >>I just played around briefly with removing *all* public access to a >>couple of catalog tables - pg_class and pg_attrdef. Obviously this >>breaks things like \d and friends. I'm not sure how much else it might >>break - >> >> > >pg_dump, for starters ... > > Right. So I played around a little more and restored read priv but only for the db owner, which seemed to work, and makes some sense to me. >I'm not sure that hiding the contents of the current database's catalog >is all that useful a goal in practice. If you have two users sharing a >database then probably you *want* them to be able to exchange some >amount of information. > It's that "probably" that niggles a bit. I don't know what usage patterns other people have, and since my typical use is exactly *one* user other than the owner/dba, and all access is mediated by my middleware, none of this affects me. ISTM we need to cater for as broad a set of usage patterns as is reasonable. >I can see the use-case for hiding contents of >the shared tables (pg_database, pg_shadow, pg_group) in installations >where different users have different databases but you want to run just >one common postmaster. Even there, though, it doesn't seem all that >essential --- its only usefulness is security by obscurity. > > > That phrase to me denotes "something they could easily discover if only they knew about it". How would they discover the contents of these, assuming they did know about them and we blocked access? What is not clear to me is how we would even decide which databases to hide, if it is not an all or nothing deal. Marc's phrase "those resources that they have permissions to see" doesn't define it nearly nicely enough. Say I block access to db foo to all users but bar via pg_hba.conf. Would we then want to prevent all other users from seeing foo in the list of databases? Things like that are why I started exploring a somewhat broader approach. cheers andrew
В списке pgsql-hackers по дате отправления: