On Mon, Jul 10, 2006 at 01:42:27PM -0400, Phil Frost wrote: > I think that misses the point. One can easily find objects in a schema > without usage by examining the system catalogs. The point is that there > are ways to access objects without going through the schema usage check, > and also that the check is made only once at the time a name is resolved > to an oid, which may then be cached in a prepared statement, stored > procedure, lastval, or the like. I would suggest something more like > this:
Can you SELECT/UPDATE/DELETE from a table knowing only its oid? I'd like to see that trick. lastval() is an odd case, given the user doesn't actually supply the oid. > In applications where security is very important, it may be wise to > assure that no users have undesired privileges on objects within a > schema, and not to rely solely on the schema usage privilege. Indeed, never give priveledges unless you're sure you want people to have them. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to > litigate.
signature.asc
Description: Digital signature
