Re: security flaw - Mailing list pgsql-hackers

From Robert Treat
Subject Re: security flaw
Date
Msg-id 1055166605.4604.351.camel@camel
Whole thread Raw
In response to security flaw  (ohp@pyrenet.fr)
List pgsql-hackers
On Sat, 2003-06-07 at 14:04, ohp@pyrenet.fr wrote:
> Hi all,
> 
> I wonder if it's a security problem: One of my customer noticed that he
> could see all databases on the system with phppgadmin. not only he sees
> databases but tables, views, fonctions... Fortunatly he can't see any row.
> 
> This customer has the ability to create databases but not users.
> I wonder if the super_user privilege should be separated from the
> priviledge of creating databases/users.
> 
> I alose think that only a superuser should list databases and objects.
> 
> What do you think?

phppgadmin has some options to hide some of this information, but
clearly understand that users can always submit arbitrary sql to get the
same information, so you'd have to change the back end's security model
to really keep people from finding this kind of information out. I know
many of our users would welcome that change.

Robert Treat
phpPgAdmin Team 
-- 
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: freeaddrinfo2 changes.
Next
From: Kurt Roeckx
Date:
Subject: Re: cvs ETA?