Thread: pg_user
hi can we change initdb when view pg_user is createing to : CREATE VIEW pg_user AS \ SELECT \ usename, \ usesysid, \ usecreatedb, \ usesuper, \ usecatupd,\ '********'::text as passwd, \ valuntil, \ useconfig \ FROM pg_shadow WHERE usename = SESSION_USER; ?
ivan wrote: > hi > > can we change initdb when view pg_user is createing to : > > CREATE VIEW pg_user AS \ > SELECT \ > usename, \ > usesysid, \ > usecreatedb, \ > usesuper, \ > usecatupd, \ > '********'::text as passwd, \ > valuntil, \ > useconfig \ > FROM pg_shadow WHERE usename = SESSION_USER; No, at least not without a complete proposal how to retain the current behaviour of pg_tables, pg_views, psql's \d and other places that rely on pg_user being able to display all users. It's the same thing with your /etc/passwd. chmod o-rwx /etc/passwd will hide the usernames but break many utilities. If you don't want someone to know all the logins, don't give him one. Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #
you can also patch your kernel and when you write cat /etc/passwd system give you only your line , whitout any others users, so exacly what you need , in pgsql i think that users dont need to know about others , and also them databases, i call it security :) On Mon, 27 Oct 2003, Jan Wieck wrote: > ivan wrote: > > > hi > > > > can we change initdb when view pg_user is createing to : > > > > CREATE VIEW pg_user AS \ > > SELECT \ > > usename, \ > > usesysid, \ > > usecreatedb, \ > > usesuper, \ > > usecatupd, \ > > '********'::text as passwd, \ > > valuntil, \ > > useconfig \ > > FROM pg_shadow WHERE usename = SESSION_USER; > > No, at least not without a complete proposal how to retain the current > behaviour of pg_tables, pg_views, psql's \d and other places that rely > on pg_user being able to display all users. > > It's the same thing with your /etc/passwd. chmod o-rwx /etc/passwd will > hide the usernames but break many utilities. If you don't want someone > to know all the logins, don't give him one. > > > Jan > > -- > #======================================================================# > # It's easier to get forgiveness for being wrong than for being right. # > # Let's break this rule - forgive me. # > #================================================== JanWieck@Yahoo.com # >
rfc 1925 (see http://www.faqs.org/rfcs/rfc1925.html ) states: "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead." You can call it security if you like, but I call it trying to make a pig fly. If you don't want your users to know about each other then put them on different clusters. Or if they need access to the same data then mediate access via a middle layer at the server end instead of allowing direct access to the database(s) - three layer models are very common for this and other reasons. cheers andrew ivan wrote: >you can also patch your kernel and when you write cat /etc/passwd system >give you only your line , whitout any others users, so exacly what you >need , >in pgsql i think that users dont need to know about others , and also >them >databases, i call it security :) > >On Mon, 27 Oct 2003, Jan Wieck wrote: > > > >>ivan wrote: >> >> >> >>>hi >>> >>>can we change initdb when view pg_user is createing to : >>> >>>CREATE VIEW pg_user AS \ >>> SELECT \ >>> usename, \ >>> usesysid, \ >>> usecreatedb, \ >>> usesuper, \ >>> usecatupd, \ >>> '********'::text as passwd, \ >>> valuntil, \ >>> useconfig \ >>> FROM pg_shadow WHERE usename = SESSION_USER; >>> >>> >>No, at least not without a complete proposal how to retain the current >>behaviour of pg_tables, pg_views, psql's \d and other places that rely >>on pg_user being able to display all users. >> >>It's the same thing with your /etc/passwd. chmod o-rwx /etc/passwd will >>hide the usernames but break many utilities. If you don't want someone >>to know all the logins, don't give him one. >> >> >>Jan >> >>-- >>#======================================================================# >># It's easier to get forgiveness for being wrong than for being right. # >># Let's break this rule - forgive me. # >>#================================================== JanWieck@Yahoo.com # >> >> >> > >---------------------------(end of broadcast)--------------------------- >TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > > >
On Thu, 30 Oct 2003, ivan wrote: > > you can also patch your kernel and when you write cat /etc/passwd system > give you only your line , whitout any others users, so exacly what you > need , > in pgsql i think that users dont need to know about others , and also > them > databases, i call it security :) technically, that's just obscurity.
ivan wrote: > you can also patch your kernel and when you write cat /etc/passwd system > give you only your line , whitout any others users, so exacly what you > need , > in pgsql i think that users dont need to know about others , and also > them > databases, i call it security :) No, it's not security, it is obscurity. The point is that this modification is not backward compatible and the only scenario I can imagine where it would be good to have this is for a hosting provider who want's to cram up multiple hosted databases under one postmaster. I am not per se against such change. It never striked me as a good idea in general that we only have the one, shared pg_shadow catalog and all databases share all users. So I think what I try to say is ... back to the drawing board, because your initial solution is not acceptable. Jan > > On Mon, 27 Oct 2003, Jan Wieck wrote: > >> ivan wrote: >> >> > hi >> > >> > can we change initdb when view pg_user is createing to : >> > >> > CREATE VIEW pg_user AS \ >> > SELECT \ >> > usename, \ >> > usesysid, \ >> > usecreatedb, \ >> > usesuper, \ >> > usecatupd, \ >> > '********'::text as passwd, \ >> > valuntil, \ >> > useconfig \ >> > FROM pg_shadow WHERE usename = SESSION_USER; >> >> No, at least not without a complete proposal how to retain the current >> behaviour of pg_tables, pg_views, psql's \d and other places that rely >> on pg_user being able to display all users. >> >> It's the same thing with your /etc/passwd. chmod o-rwx /etc/passwd will >> hide the usernames but break many utilities. If you don't want someone >> to know all the logins, don't give him one. >> >> >> Jan >> >> -- >> #======================================================================# >> # It's easier to get forgiveness for being wrong than for being right. # >> # Let's break this rule - forgive me. # >> #================================================== JanWieck@Yahoo.com # >> -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #