Re: Security... - Mailing list pgsql-hackers

From Simon Riggs
Subject Re: Security...
Date
Msg-id 1089070222.17493.150.camel@stromboli
Whole thread Raw
In response to Security...  (Steve Holdoway <steve@treshna.com>)
List pgsql-hackers
On Mon, 2004-07-05 at 23:27, Steve Holdoway wrote:
> Hi folks,
> 
> I'm trying to seriously restrict what a particular user can see within a 
> database. Using various schemas, rules, groups and grants, I've managed 
> to restrict them to only being able to _do_ what I want them to, but 
> they can still _see_ the rest of the schemas, system tables, etc. I've 
> tried revoking everything on public, pg_catalogs, etc, but you can still 
> describe tables.
> 
> Anyone know how to stop this, or if it's even possible??
> 

I think there was some discussion on this on the ODBC list.

Teradata and Oracle use views that have a subselect in them that only
displays objects that a user has at least one privilege on/over.

In Oracle, they're called ALL and USER views, so there are multiple
versions of the schema depending upon your (security) needs. Teradata
gives you the option at system init time.

Currently, psql issues complex SQL directly against the catalog, though
I did once have plans to rework that so the same commands would be
available from any interface.

Best regards, Simon Riggs



pgsql-hackers by date:

Previous
From: Gaetano Mendola
Date:
Subject: Re: [BUGS] [CHECKER] 4 memory leaks in Postgresql 7.4.2
Next
From: Andrew Dunstan
Date:
Subject: Re: [COMMITTERS] pgsql-server: plperl update from Andrew Dunstan,