Home > mailing lists

Re: Disallow SET command in a postgresql server - Mailing list pgsql-general

From	Merlin Moncure
Subject	Re: Disallow SET command in a postgresql server
Date	April 9, 2013 19:13:23
Msg-id	CAHyXU0yU6uT-muKBzOFs3L+14LJdH38kz6cWAoPLQ2fdwwL3zQ@mail.gmail.com Whole thread Raw
In response to	Re: Disallow SET command in a postgresql server (Fabio Rueda Carrascosa <avances123@gmail.com>)
Responses	Re: Disallow SET command in a postgresql server
List	pgsql-general

Tree view

On Tue, Apr 9, 2013 at 10:57 AM, Fabio Rueda Carrascosa
<avances123@gmail.com> wrote:
> My grant/revoke architecture is fine, you mean about costly cpu/ram queries?

it has nothing to do with grant/revoke.   There are multiple trivial
things a user can do to DOS you server.  You can prevent a lot of
them, but it's definitely whack-a-mole.  If you don't believe me, try
logging into schemaverse in the next few moments.  I just took it
down.  It will come up shortly.

The only way I will advise opening up database to untrusted user is
through pgbouncer (modified to allow only v3 parameterized queries
that match a whitelist).

merlin

pgsql-general by date:

From: Alvaro Herrera
Date: 09 April 2013, 19:07:11
Subject: Re: Disallow SET command in a postgresql server

From: Merlin Moncure
Date: 09 April 2013, 19:15:47
Subject: Re: Disallow SET command in a postgresql server

Re: Disallow SET command in a postgresql server - Mailing list pgsql-general

Previous

Next