On Sat, 2003-06-07 at 14:04, [EMAIL PROTECTED] wrote:
> Hi all,
>
> I wonder if it's a security problem: One of my customer noticed that he
> could see all databases on the system with phppgadmin. not only he sees
> databases but tables, views, fonctions... Fortunatly he can't see any row.
>
> This customer has the ability to create databases but not users.
> I wonder if the super_user privilege should be separated from the
> priviledge of creating databases/users.
>
> I alose think that only a superuser should list databases and objects.
>
> What do you think?
phppgadmin has some options to hide some of this information, but
clearly understand that users can always submit arbitrary sql to get the
same information, so you'd have to change the back end's security model
to really keep people from finding this kind of information out. I know
many of our users would welcome that change.
Robert Treat
phpPgAdmin Team
--
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
