On Sat, 7 Jun 2003 [EMAIL PROTECTED] wrote:

> Hi all,
> 
> I wonder if it's a security problem: One of my customer noticed that he
> could see all databases on the system with phppgadmin. not only he sees
> databases but tables, views, fonctions... Fortunatly he can't see any row.
> 
> This customer has the ability to create databases but not users.
> I wonder if the super_user privilege should be separated from the
> priviledge of creating databases/users.
> 
> I alose think that only a superuser should list databases and objects.
> 
> What do you think?

Since security by obscurity is presumed to be ineffective, conversely, 
revealing the location of an object produces no real decrease in security.

Now, it might be nice from the user's perspective if they could filter out 
the stuff they don't have access to, in order to ensure a nice neat little 
view of their own data in a galaxy of information (i.e. 100 other users 
each with their own data set and priveldges.)

Since schemas provide a simple way to limit your own view, they provide 
for that function.

Can phppgadmin be programmed to only use certain search paths in the 
schema?


---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Reply via email to