Postgres Pro
Downloads
Home   >   mailing lists

Re: Obfuscated stored procedures (was Re: Oracle and Postgresql) - Mailing list pgsql-general

From Bruce Momjian
Subject Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date
Msg-id 200809231952.m8NJqTP05977@momjian.us
Whole thread Raw
In response to Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)  ("Merlin Moncure" <mmoncure@gmail.com>)
Responses Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)  (Glyn Astill <glynastill@yahoo.co.uk>)
List pgsql-general
Tree view 
Added to TODO under features not wanted:

    Incomplete itemObfuscated function source code (not wanted)

        Obfuscating function source code has minimal protective benefits
    because anyone with super-user access can find a way to view the code.
    To prevent non-super-users from viewing function source code, remove
    SELECT permission on pg_proc.


---------------------------------------------------------------------------

Merlin Moncure wrote:
> On Tue, Sep 16, 2008 at 9:15 AM, Glyn Astill <glynastill@yahoo.co.uk> wrote:
> >
> > As much as I'm impressed with the "we do it properly or not at all" attitude, it'd be nice if there was an option
tostop the casual user from viewing code. 
> >
> > I'll admit to obfusicating bits and pieces using C, even though the function and everything it acts on are tied
downwith permissions. I understand in reality it provides no real extra security but somehow users being able to easily
viewsomething they don't have access to execute beyond it's name just feels wrong. 
>
> This is one of those threads that reappears like magic every six
> months or so.  The last round of discussion went longer than normal
> including a couple of routes to implementation.
>
> One big reason why nothing hasn't been done is that there is a decent
> 'low tech' obfuscation tactic already: remove select access from
> pg_proc to the user accounts in question and 'public'.  This will
> essentially disable casual browsing of procedure code from user
> accounts.
>
> Any real solution should focus on:
> *) key management (any serious discussion with encryption starts here)
> *) other things you can do with function source besides encryption
>
> for example, take a look at one idea I had (not at all vetted, but a start):
> http://archives.postgresql.org/pgsql-performance/2007-12/msg00337.php
>
> merlin
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

pgsql-general by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: [ADMIN] 8.3.4 rpms for Opensuse10.3 64bit
Next
From: Peter Eisentraut
Date:
Subject: Re: [ADMIN] 8.3.4 rpms for Opensuse10.3 64bit