Tom,
> Now you can argue that approximate database size information simply
> isn't that useful to an attacker, and maybe that's true. But are
> we prepared to make a policy decision that we aren't going to try to
> protect such information at all?
But it's not making *no* attempt. This is a special case; it only applies
when a limited number of databases share the same tablespace. If the admin
is concerned about protecting private info about database size, then either
put the DBs in separate tablespaces, or make sure there's so many dbs in the
tablespace that no useful information can be derived.
Hmmm ... execept we're not requiring even permission on *one* DB in the
tablespace are we? That *is* an issue. How difficult would it be to require
that the requestor have CONNECT on at least one DB in the tablespace? Like
by requiring them to be connected to that DB, or to be the Superuser?
--
Josh Berkus
PostgreSQL @ Sun
San Francisco