Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXX DACB, wwwxxx,nvif, why atm producer might be held liable for economic injury, wwwxxxy=ServiceLogin, w2ksp4.exe, WwwxxXdbf, procmail "FROM_MAILER" patch, Use of assignment to $[ is deprecated at /usr/local/sbin/apxs line 86. , wwwxxx vim, mysql closing table and opening table

Links

XODOX
Impressum

#1: Revoking usage of pg_catalog

Posted on 2007-05-09 15:05:21 by Daniel Cristian Cruz

------=_Part_130501_22049601.1178715921332
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi there!

Is it possible to revoke usage of pg_catalog for a specific user?

The reason is to secure PostgreSQL. If a user can connect to a database, it
could query pg_class, pg_attribute, pg_proc search for specific tables and
if using dblink, even database passwords...

I just made a test, revoking usage of pg_catalog from PUBLIC, but tables are
still available through "SELECT * FROM pg_class", but not through "SELECT *
FROM pg_catalog.pg_class". I found in manual, where it says pg_catalog is
searched before any schema on search_path...

If schema pg_catalog became blocked, PostgreSQL could be used? Could it be
possible to made queries on allowed schemas and tables? This could be an
item for the wishlist?

Kind regards,
--
Daniel Cristian Cruz

------=_Part_130501_22049601.1178715921332
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi there!<br><br>Is it possible to revoke usage of pg_catalog for a specific user?<br><br>The reason is to secure PostgreSQL. If a user can connect to a database, it could query pg_class, pg_attribute, pg_proc search for specific tables and if using dblink, even database passwords...
<br clear="all"><br>I just made a test, revoking usage of pg_catalog from PUBLIC, but tables are still available through &quot;SELECT * FROM pg_class&quot;, but not through &quot;SELECT * FROM pg_catalog.pg_class&quot;. I found in manual, where it says pg_catalog is searched before any schema on search_path...
<br><br>If schema pg_catalog became blocked, PostgreSQL could be used? Could it be possible to made queries on allowed schemas and tables? This could be an item for the wishlist?<br><br>Kind regards,<br>-- <br>Daniel Cristian Cruz

------=_Part_130501_22049601.1178715921332--

Report this message

#2: Re: Revoking usage of pg_catalog

Posted on 2007-05-09 16:52:18 by Tom Lane

"Daniel Cristian Cruz" <danielcristian@gmail.com> writes:
> Is it possible to revoke usage of pg_catalog for a specific user?

No, not if you'd like them to be able to do anything useful.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

Report this message

#3: Re: Revoking usage of pg_catalog

Posted on 2007-05-09 19:52:59 by Scott Marlowe

On Wed, 2007-05-09 at 08:05, Daniel Cristian Cruz wrote:
> Hi there!
>
> Is it possible to revoke usage of pg_catalog for a specific user?
>
> The reason is to secure PostgreSQL. If a user can connect to a
> database, it could query pg_class, pg_attribute, pg_proc search for
> specific tables and if using dblink, even database passwords...

That's not security, it's obscurity.

You can grant / revoke access to anything a user should or should not be
able to access anyway.



---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

Report this message

#4: Re: Revoking usage of pg_catalog

Posted on 2007-05-09 20:09:41 by Daniel Cristian Cruz

2007/5/9, Scott Marlowe <smarlowe@g2switchworks.com>:
> On Wed, 2007-05-09 at 08:05, Daniel Cristian Cruz wrote:
> > Hi there!
> >
> > Is it possible to revoke usage of pg_catalog for a specific user?
> >
> > The reason is to secure PostgreSQL. If a user can connect to a
> > database, it could query pg_class, pg_attribute, pg_proc search for
> > specific tables and if using dblink, even database passwords...
>
> That's not security, it's obscurity.

Yes, I used the wrong expression.

> You can grant / revoke access to anything a user should or should not be
> able to access anyway.

It's a web application user. I was trying to make some database magic,
hardening SQL injections... But its wrong, the application must be
secure. Unfortunelly I can't have a database user for each web user...

Thanks...
--
Daniel Cristian Cruz

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

Report this message

#5: Re: Revoking usage of pg_catalog

Posted on 2007-05-10 01:47:57 by John DeSoi

On May 9, 2007, at 2:09 PM, Daniel Cristian Cruz wrote:

> It's a web application user. I was trying to make some database magic,
> hardening SQL injections... But its wrong, the application must be
> secure. Unfortunelly I can't have a database user for each web user...

I don't see the issue if users don't connect directly to the
database, only through your web application. You then have complete
control over any query executed. You should not have to worry about
SQL injection if you use prepared queries and stored procedures.



John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL


---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Report this message