Thread: ODBC Driver exposes tables and views that a user does not have permission to access.
ODBC Driver exposes tables and views that a user does not have permission to access.
From
"Harris, Richard"
Date:
Hi, PostgreSQL server 7.4.2 psqlODBC driver: 7.03.02.00 I created a database user in a postgresql cluster. I granted that user SELECT permission to a few views. I created a DSN for that user to connect to postgreSQL from a Windows PC. When I use the DSN in MS Access to link to the views, the Link Tables list includes many tables and views that the user has no permission to access. Is this a defect in the ODBC driver? Is there a work around for this? Thanks, Rich Harris
Harris, Richard wrote:
>Hi,
>
>PostgreSQL server 7.4.2
>psqlODBC driver: 7.03.02.00
>
>I created a database user in a postgresql cluster. I granted that user
>SELECT permission to a few views. I created a DSN for that user to
>connect to postgreSQL from a Windows PC. When I use the DSN in MS Access
>to link to the views, the Link Tables list includes many tables and
>views that the user has no permission to access. Is this a defect in the
>ODBC driver? Is there a work around for this?
>
>
As far as security models are concerned, a driver should never impose
the security policy. The reason for that is very simple - bypassing the
driver will give you access to things you thought were secure. A driver
should give the user the maximal power available to her. If Postgresql
allows a user to get a list of views that the user has no permission to
access, then it's the driver's job to give this list.
If you think this security consideration is wrong, the place to complain
about that is pgsql-hackers or pgsql-users. There is nothing ODBC can do
about this.
>Thanks,
>Rich Harris
>
>
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting ltd.
Have you backed up today's work? http://www.lingnu.com/backup.html