Yes. A number of people in the company have mentioned that our customers can see tables and structures which they shouldn't know exist.
Not a severe issue, but it's a checkmark for those wanting to switch to Oracle. Revoking read access to system catalogs causes interesting things to occur :) -- Rod Taylor Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. ----- Original Message ----- From: "Bruce Momjian" <[EMAIL PROTECTED]> To: "Rod Taylor" <[EMAIL PROTECTED]> Cc: "Hackers List" <[EMAIL PROTECTED]> Sent: Sunday, April 14, 2002 9:33 PM Subject: Re: [HACKERS] Security Issue.. > Rod Taylor wrote: > > I'm running into a minor issue with security in regards to users being > > able to see constructs that they have no access too. > > > > The solution? Information_Schema coupled with no direct access to > > pg_catalog. Internals can use pg_catalog, possibly super users, but > > regular users shouldn't be able to do any reads / writes to it > > directly -- as per spec with definition_schema. > > Is the problem that people can see system catalog columns that should be > more secure? > > -- > Bruce Momjian | http://candle.pha.pa.us > [EMAIL PROTECTED] | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])