Tom mentioned that he had not had these security concerns raised before. From my point of view I just have no idea about the level of information offered to any given user and am scared to run PostgreSQL in an ISP shared environment because of it. I am sure I can secure people from connecting to a db by refusing them access in pg_hba.conf. But I'm unsure of exactly what that buys me, and what is doesn't.
It's certainly also a concern of mine that any given use can see every
table in the database. I see that as a definite problem and just
assumed it was already on the radar and something that was planned to be
fixed. It astounds me that the claim is that such security is
impossible.
It bothers me a great deal that I can't control very easily what a given user can see when they connect over ODBC or via phppgadmin in terms of schemas, tables and columns. I fixed this in application code in phppgadmin but that's clearly insufficient since it doesn't do anything for the other access methods.
Modifiying phpPgAdmin is useless - people can query the catalogs manually.
Hackers - we get an email about information hiding in shared postgresql/phppgadmin installations at least once a fortnight :)
Chris
---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
