Thread: perm question
hi, why when i revoke all on scheme pg_catalog from all (with public) i can make select from pg_ tables and views as ordinary user ?? I can usage this scheme so why i can makeing select ? Then i remove SELECT perm from PUBLIC on pg_ tables and then i cant makeing select from this tables , but i can make select from views, even i dont have perm to do select from src tables of thises views. what do you this about using RE in select , or only rel names like : revoke all on table pg_* from public ? etc ? and how disallow : LISTEN , SET , RESET , and SHOW ? byeiv
ivan <iv@psycho.pl> writes:
> why when i revoke all on scheme pg_catalog from all (with public)
> i can make select from pg_ tables and views as ordinary user ??
Hm. pg_catalog is forcibly placed into the search path, thus bypassing
the normal check on whether you have USAGE privilege on it. I suppose
that could be claimed to be a bug ... but in point of fact, honoring
denial of USAGE on pg_catalog would mean that the system would fail to
function at all. So I cannot see any actual usefulness in doing such a
thing. You might as well just delete the user entirely as forbid him
access to pg_catalog.
> and how disallow : LISTEN , SET , RESET , and SHOW ?
Explain why we should?
regards, tom lane
> > and how disallow : LISTEN , SET , RESET , and SHOW ? > > Explain why we should? > When you want to LISTEN sth pg insert rec into pg_listens (?) or somewhere there, so why someone could rubish my db ? In my project i need close everything even most of pg_catalog. User shoudl exec only special func. and not more. He know which they are. will be very wlee (i think ) to div pg_catalog to more part, like types (with in/out/cast function) , pg tables , and rest of funcs ... (and why pg use "namespace" and "schema" ?? why we need this 2 words ?) btw . i have one more question :i have a lot of namepsace , and i dont use all of them i one time,so when i need one i justSET search_path TO need_namespace;When i use it in plpgsql its working without problesm , for ei :create table other_nsp.table(i int);create functino _ble() returns boolean as 'begin set search_path other_nsp; delete from table;end; ......its working goodbut when i want to use SQL lang there is a error , that my table isnt exists.ie :create .. as 'set search_path other_nsp;delete from table ; -- and there is error , but why i one line above--replaced search_path ?? i tryed it witj transaction block , but it was this same result thx :>bye , ivan
ivan <iv@psycho.pl> writes:
> In my project i need close everything even most of pg_catalog.
> User shoudl exec only special func. and not more. He know which they are.
It sounds to me like you shouldn't be allowing your users to execute SQL
commands directly at all.
regards, tom lane
nay be not all, but only select from same function. Is there sht like umask ???? On Wed, 16 Jul 2003, Tom Lane wrote: > ivan <iv@psycho.pl> writes: > > In my project i need close everything even most of pg_catalog. > > User shoudl exec only special func. and not more. He know which they are. > > It sounds to me like you shouldn't be allowing your users to execute SQL > commands directly at all. > > regards, tom lane >