Home > mailing lists

Re: user-based query white list - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: user-based query white list
Date	December 7, 2008 15:41:21
Msg-id	493BFCA7.5010000@dunslane.net Whole thread Raw
In response to	Re: user-based query white list (Andrew Chernow <ac@esilo.com>)
Responses	Re: user-based query white list (Andrew Chernow <ac@esilo.com>) Re: user-based query white list (Andrew Chernow <ac@esilo.com>)
List	pgsql-hackers

Tree view

Andrew Chernow wrote:
>
> I think what is missing is a way to deny the execution of queries that 
> don't operate on an object (like a table, sequence, role, schema, 
> etc...), OR queries not covered by the priv system.  Object-based 
> queries can be locked down using the existing priv system.  Not sure 
> if denying non-object related queries would work; what happens when 
> you call "SELECT NOW()" within an allowed function?
>
>

What exactly are you trying to protect against?

In general, my attitude is that databases should not allow direct access 
from untrusted sources.  The API restriction you are talking about is 
something that is trivially easy to build into middleware, and only the 
middleware should be allowed access to the database.

cheers

andrew

pgsql-hackers by date:

From: Andrew Chernow
Date: 07 December 2008, 14:20:01
Subject: Re: user-based query white list

From: Andrew Dunstan
Date: 07 December 2008, 15:44:17
Subject: Re: Mostly Harmless: Welcoming our C++ friends

Re: user-based query white list - Mailing list pgsql-hackers

Previous

Next