Re: Disable databse listing for non-superuser (\l) ?
От | Andreas Wenk |
---|---|
Тема | Re: Disable databse listing for non-superuser (\l) ? |
Дата | |
Msg-id | 4A6B0E4B.2080103@netzmeister-st-pauli.de обсуждение исходный текст |
Ответ на | Re: Disable databse listing for non-superuser (\l) ? (Bill Moran <wmoran@potentialtech.com>) |
Ответы |
Re: Disable databse listing for non-superuser (\l) ?
|
Список | pgsql-general |
Bill Moran schrieb: > Scott Marlowe <scott.marlowe@gmail.com> wrote: >> On Fri, Jul 24, 2009 at 5:02 PM, Brian A. >> Seklecki<lavalamp@spiritual-machines.org> wrote: >>> All: >>> >>> Any suggestions on how-to, or comments on a potential NFR, to disable >>> non-superuser's from viewing the database list via \l? >> So, is this a misguided attempt at security through obscurity, or are >> you looking at limiting the noise that users see when they look at >> databases? > > I don't know about misguided, Scott. Security takes many forms. > > If a client wants shared database hosting, but wants an assurance that > other clients using the same shared DB server can't tell who else is > using it? > > It's not security in the strict computer-science definition. Obviously, > if the proper ownerships and grants don't exist to protect the data, in > addition to said obscurity, then the whole thing is pointless. But such > obscurity _in_addition_ to proper, real security, has show usefulness > in many areas. > > Take a properly secured SSH server, for example, and move it to an obscure > port #. Now you've reduced the number of mindless bots looking for > unprotected root accounts, and your IDS solution that monitors the ssh > logs is actually useful. Of course, that's only effective if ssh is > properly secured to begin with. > > Similar concept. > > Many clients want the cost-effectiveness of shared DB hosting. Many of > them also want it kept under wraps that they're doing so. The provider > that can do such a thing gets the contract. Those that complain about > "it's not security, it's obscurity" do not get the contract. > > I mean, didn't Apple just kill someone for letting their new iPhone > design leak? this is now going off topic - but what do you mean with your last sentence? Cheers Andy
В списке pgsql-general по дате отправления: