Yes.
A number of people in the company have mentioned that our customers
can see tables and structures which they shouldn't know exist.
Not a severe issue, but it's a checkmark for those wanting to switch
to Oracle.
Revoking read access to system catalogs causes interesting things to
occur :)
--
Rod Taylor
Your eyes are weary from staring at the CRT. You feel sleepy. Notice
how restful it is to watch the cursor blink. Close your eyes. The
opinions stated above are yours. You cannot imagine why you ever felt
otherwise.
----- Original Message -----
From: "Bruce Momjian" <pgman@candle.pha.pa.us>
To: "Rod Taylor" <rbt@zort.ca>
Cc: "Hackers List" <pgsql-hackers@postgresql.org>
Sent: Sunday, April 14, 2002 9:33 PM
Subject: Re: [HACKERS] Security Issue..
> Rod Taylor wrote:
> > I'm running into a minor issue with security in regards to users
being
> > able to see constructs that they have no access too.
> >
> > The solution? Information_Schema coupled with no direct access to
> > pg_catalog. Internals can use pg_catalog, possibly super users,
but
> > regular users shouldn't be able to do any reads / writes to it
> > directly -- as per spec with definition_schema.
>
> Is the problem that people can see system catalog columns that
should be
> more secure?
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman@candle.pha.pa.us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania
19026
>
