Re: ODBC Driver exposes tables and views that a user does - Mailing list pgsql-odbc

From Shachar Shemesh
Subject Re: ODBC Driver exposes tables and views that a user does
Date
Msg-id 4296CC14.6030708@shemesh.biz
Whole thread Raw
In response to ODBC Driver exposes tables and views that a user does not have permission to access.  ("Harris, Richard" <Richard_Harris@adp.com>)
List pgsql-odbc
Harris, Richard wrote:

>Hi,
>
>PostgreSQL server 7.4.2
>psqlODBC driver: 7.03.02.00
>
>I created a database user in a postgresql cluster. I granted that user
>SELECT permission to a few views. I created a DSN for that user to
>connect to postgreSQL from a Windows PC. When I use the DSN in MS Access
>to link to the views, the Link Tables list includes many tables and
>views that the user has no permission to access. Is this a defect in the
>ODBC driver? Is there a work around for this?
>
>
As far as security models are concerned, a driver should never impose
the security policy. The reason for that is very simple - bypassing the
driver will give you access to things you thought were secure. A driver
should give the user the maximal power available to her. If Postgresql
allows a user to get a list of views that the user has no permission to
access, then it's the driver's job to give this list.

If you think this security consideration is wrong, the place to complain
about that is pgsql-hackers or pgsql-users. There is nothing ODBC can do
about this.

>Thanks,
>Rich Harris
>
>
       Shachar

--
Shachar Shemesh
Lingnu Open Source Consulting ltd.
Have you backed up today's work? http://www.lingnu.com/backup.html


pgsql-odbc by date:

Previous
From: "Harris, Richard"
Date:
Subject: ODBC Driver exposes tables and views that a user does not have permission to access.
Next
From: "Brian J. Erickson"
Date:
Subject: IM003 when using ODBC