Home > mailing lists

Re: Isn't pg_statistic a security hole? - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Isn't pg_statistic a security hole?
Date	May 6, 2001 18:12:20
Msg-id	29425.989176323@sss.pgh.pa.us Whole thread Raw
In response to	Re: Isn't pg_statistic a security hole? (Stephan Szabo <sszabo@megazone23.bigpanda.com>)
List	pgsql-hackers

Tree view

Stephan Szabo <sszabo@megazone23.bigpanda.com> writes:
>> This is infeasible since we don't have a concept of per-row permissions.
>> It's all or nothing.

> Maybe make statistics readable only by superusers with a view that uses
> CURRENT_USER or something like that to only give the objects that
> have owners of this user?  Might be an ugly view, but...

Hmm, that would work --- you could join against pg_class to find out the
owner of the relation.  While you were at it, maybe look up the
attribute name in pg_attribute as well.  Anyone want to propose a
specific view definition?
        regards, tom lane

pgsql-hackers by date:

From: "Joe Conway"
Date: 06 May 2001, 17:35:57
Subject: Re: Isn't pg_statistic a security hole?

From: "Joe Conway"
Date: 06 May 2001, 19:02:12
Subject: Re: Isn't pg_statistic a security hole?

Re: Isn't pg_statistic a security hole? - Mailing list pgsql-hackers

Previous

Next