Thread: problems with user rights
Hello, i've just added a new user called xxx : create user xxx with password zzz; now am creating it's database : create database db_xxx with owner xxx; it works fine althought when logging with the user xxx i can still view other databases contents especially pg_catalog schems. is it the right way to add a user ? am i wrong ? i dont want to let my new user view the others databases on the server.
no one can help me over here ? On Mon, 28 Mar 2005 15:32:32 +0200, Zouari Fourat <fourat@gmail.com> wrote: > Hello, > i've just added a new user called xxx : > > create user xxx with password zzz; > > now am creating it's database : > > create database db_xxx with owner xxx; > > it works fine althought when logging with the user xxx i can still > view other databases contents especially pg_catalog schems. > > is it the right way to add a user ? am i wrong ? > i dont want to let my new user view the others databases on the server. >
> i've just added a new user called xxx : > > create user xxx with password zzz; > > now am creating it's database : > > create database db_xxx with owner xxx; > > it works fine althought when logging with the user xxx i can still > view other databases contents especially pg_catalog schems. > > is it the right way to add a user ? am i wrong ? > i dont want to let my new user view the others databases on the server. Viewing the information in the system catalogs is open to all users. There is not a way to hide it unless you build an interface on top of PostgreSQL that limits the queries the user can execute. John DeSoi, Ph.D. http://pgedit.com/ Power Tools for PostgreSQL
is it really secure in a shared hosting environnement case ? do you advise me to offer pgsql in a shared hosting ? On Wed, 30 Mar 2005 08:04:00 -0500, John DeSoi <desoi@pgedit.com> wrote: > > i've just added a new user called xxx : > > > > create user xxx with password zzz; > > > > now am creating it's database : > > > > create database db_xxx with owner xxx; > > > > it works fine althought when logging with the user xxx i can still > > view other databases contents especially pg_catalog schems. > > > > is it the right way to add a user ? am i wrong ? > > i dont want to let my new user view the others databases on the server. > > Viewing the information in the system catalogs is open to all users. > There is not a way to hide it unless you build an interface on top of > PostgreSQL that limits the queries the user can execute. > > John DeSoi, Ph.D. > http://pgedit.com/ > Power Tools for PostgreSQL > >
On Mar 30, 2005, at 10:17 AM, Zouari Fourat wrote: > is it really secure in a shared hosting environnement case ? > do you advise me to offer pgsql in a shared hosting ? You can do all of the necessary things to control access to the databases. You just can't hide that they exist if you provide a way to directly query the database. There are may companies providing shared hosting. I'm not aware of any security issues. John DeSoi, Ph.D. http://pgedit.com/ Power Tools for PostgreSQL
On Wed, 2005-03-30 at 10:14, John DeSoi wrote: > On Mar 30, 2005, at 10:17 AM, Zouari Fourat wrote: > > > is it really secure in a shared hosting environnement case ? > > do you advise me to offer pgsql in a shared hosting ? > > You can do all of the necessary things to control access to the > databases. You just can't hide that they exist if you provide a way to > directly query the database. There are may companies providing shared > hosting. I'm not aware of any security issues. My preferred way to setup accecss is to use the sameuser setting in pg_hba.conf, which lets a user only connect to the database of their name. Nicely partitions the server with minimum configuration needed.
On Wed, Mar 30, 2005 at 11:14:38AM -0500, John DeSoi wrote: > On Mar 30, 2005, at 10:17 AM, Zouari Fourat wrote: > > >is it really secure in a shared hosting environnement case ? > >do you advise me to offer pgsql in a shared hosting ? > > You can do all of the necessary things to control access to the > databases. ...like using pg_hba.conf to control who's allowed to connect to each database. If you don't want people to query the system catalogs for a particular database, then don't allow them to connect to that database (there are a few shared catalogs that anybody can query, however). The db_user_namespace configuration variable might help with managing access, but the documentation says that it's "intended as a temporary measure until a complete solution is found," so caveat administrator. -- Michael Fuhr http://www.fuhr.org/~mfuhr/
anyone can help me with a sample of pg_hba.conf On Wed, 30 Mar 2005 09:47:31 -0700, Michael Fuhr <mike@fuhr.org> wrote: > On Wed, Mar 30, 2005 at 11:14:38AM -0500, John DeSoi wrote: > > On Mar 30, 2005, at 10:17 AM, Zouari Fourat wrote: > > > > >is it really secure in a shared hosting environnement case ? > > >do you advise me to offer pgsql in a shared hosting ? > > > > You can do all of the necessary things to control access to the > > databases. > > ...like using pg_hba.conf to control who's allowed to connect to > each database. If you don't want people to query the system catalogs > for a particular database, then don't allow them to connect to that > database (there are a few shared catalogs that anybody can query, > however). > > The db_user_namespace configuration variable might help with managing > access, but the documentation says that it's "intended as a temporary > measure until a complete solution is found," so caveat administrator. > > -- > Michael Fuhr > http://www.fuhr.org/~mfuhr/ >
On Thu, Mar 31, 2005 at 12:06:11PM +0200, Zouari Fourat wrote: > > anyone can help me with a sample of pg_hba.conf See the "Client Authentication" chapter in the documentation. Here's a link to the latest version (use a different link if you're using an older version of PostgreSQL): http://www.postgresql.org/docs/8.0/interactive/client-authentication.html There are several examples at the bottom of the page. -- Michael Fuhr http://www.fuhr.org/~mfuhr/