Re: security flaw
От | Robert Treat |
---|---|
Тема | Re: security flaw |
Дата | |
Msg-id | 1055166605.4604.351.camel@camel обсуждение исходный текст |
Ответ на | security flaw (ohp@pyrenet.fr) |
Список | pgsql-hackers |
On Sat, 2003-06-07 at 14:04, ohp@pyrenet.fr wrote: > Hi all, > > I wonder if it's a security problem: One of my customer noticed that he > could see all databases on the system with phppgadmin. not only he sees > databases but tables, views, fonctions... Fortunatly he can't see any row. > > This customer has the ability to create databases but not users. > I wonder if the super_user privilege should be separated from the > priviledge of creating databases/users. > > I alose think that only a superuser should list databases and objects. > > What do you think? phppgadmin has some options to hide some of this information, but clearly understand that users can always submit arbitrary sql to get the same information, so you'd have to change the back end's security model to really keep people from finding this kind of information out. I know many of our users would welcome that change. Robert Treat phpPgAdmin Team -- Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
В списке pgsql-hackers по дате отправления: