On Mon, Jul 10, 2006 at 01:42:27PM -0400, Phil Frost wrote:
> I think that misses the point. One can easily find objects in a schema
> without usage by examining the system catalogs. The point is that there
> are ways to access objects without going through the schema usage check,
> and also that the check is made only once at the time a name is resolved
> to an oid, which may then be cached in a prepared statement, stored
> procedure, lastval, or the like. I would suggest something more like
> this:
Can you SELECT/UPDATE/DELETE from a table knowing only its oid? I'd
like to see that trick. lastval() is an odd case, given the user
doesn't actually supply the oid.
> In applications where security is very important, it may be wise to
> assure that no users have undesired privileges on objects within a
> schema, and not to rely solely on the schema usage privilege.
Indeed, never give priveledges unless you're sure you want people to
have them.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.