Обсуждение: Hiding name and version
Hi,
Is it possible to prevent users from running the “version” function or all system information functions? If so, how?
Thank you,
Damian
On 09/17/2015 10:32 AM, Quiroga, Damian wrote: > Hi, > > Is it possible to prevent users from running the “version” function or > all system information functions? If so, how? You could probably revoke access to the function(s) (I haven't tried it because it seems very silly). JD -- Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564 PostgreSQL Centered full stack support, consulting and development. Announcing "I'm offended" is basically telling the world you can't control your own emotions, so everyone else should do it for you.
Thanks for your answer. I've tried something like "REVOKE EXECUTE ON FUNCTION version() FROM someuser;" and it doesn't work. Apparently you can only revoke permissions that you have explicitly granted before. Any other ideas? Damian -----Original Message----- From: Joshua D. Drake [mailto:jd@commandprompt.com] Sent: Thursday, September 17, 2015 3:05 PM To: Quiroga, Damian; pgsql-general@postgresql.org Subject: Re: [GENERAL] Hiding name and version On 09/17/2015 10:32 AM, Quiroga, Damian wrote: > Hi, > > Is it possible to prevent users from running the "version" function or > all system information functions? If so, how? You could probably revoke access to the function(s) (I haven't tried it because it seems very silly). JD -- Command Prompt, Inc. - http://www.commandprompt.com/ 503-667-4564 PostgreSQL Centered full stack support, consulting anddevelopment. Announcing "I'm offended" is basically telling the world you can't control your own emotions, so everyone else should doit for you.
"Joshua D. Drake" <jd@commandprompt.com> writes:
> On 09/17/2015 10:32 AM, Quiroga, Damian wrote:
>> Is it possible to prevent users from running the �version� function or
>> all system information functions? If so, how?
> You could probably revoke access to the function(s) (I haven't tried it
> because it seems very silly).
I believe revoking public execute access would work, but I concur that
this specific request seems entirely pointless. Anyone with SQL-level
access to the server, and a copy of the release notes, can soon determine
what version they are talking to by testing for the presence or absence of
assorted features and bugs.
Keep in mind also that pg_dump or pg_upgrade would not preserve such
alterations to system functions.
regards, tom lane
"Quiroga, Damian" <damian.quiroga@intel.com> writes:
> I've tried something like "REVOKE EXECUTE ON FUNCTION version() FROM someuser;" and it doesn't work.
> Apparently you can only revoke permissions that you have explicitly granted before.
The default behavior for built-in functions is as though the bootstrap
superuser has granted execute access to PUBLIC. You would need to
reverse that (and then grant it back to any non-superusers who
should have it).
regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: > "Joshua D. Drake" <jd@commandprompt.com> writes: > >> On 09/17/2015 10:32 AM, Quiroga, Damian wrote: >>> Is it possible to prevent users from running the version function or >>> all system information functions? If so, how? > >> You could probably revoke access to the function(s) (I haven't tried it >> because it seems very silly). > > I believe revoking public execute access would work, but I concur that > this specific request seems entirely pointless. Anyone with SQL-level > access to the server, and a copy of the release notes, can soon determine > what version they are talking to by testing for the presence or absence of > assorted features and bugs. > > Keep in mind also that pg_dump or pg_upgrade would not preserve such > alterations to system functions. And let's not forget... show server_version or server_version_num; Oh, and interactive psql without -q prints server version in the banner :-) > > regards, tom lane -- Jerry Sievers Postgres DBA/Development Consulting e: postgres.consulting@comcast.net p: 312.241.7800
Good to know. Thanks everyone. -----Original Message----- From: Jerry Sievers [mailto:gsievers19@comcast.net] Sent: Thursday, September 17, 2015 11:03 PM To: Tom Lane Cc: Joshua D. Drake; Quiroga, Damian; pgsql-general@postgresql.org Subject: Re: [GENERAL] Hiding name and version Tom Lane <tgl@sss.pgh.pa.us> writes: > "Joshua D. Drake" <jd@commandprompt.com> writes: > >> On 09/17/2015 10:32 AM, Quiroga, Damian wrote: >>> Is it possible to prevent users from running the "version" function >>> or all system information functions? If so, how? > >> You could probably revoke access to the function(s) (I haven't tried >> it because it seems very silly). > > I believe revoking public execute access would work, but I concur that > this specific request seems entirely pointless. Anyone with SQL-level > access to the server, and a copy of the release notes, can soon > determine what version they are talking to by testing for the presence > or absence of assorted features and bugs. > > Keep in mind also that pg_dump or pg_upgrade would not preserve such > alterations to system functions. And let's not forget... show server_version or server_version_num; Oh, and interactive psql without -q prints server version in the banner :-) > > regards, tom lane -- Jerry Sievers Postgres DBA/Development Consulting e: postgres.consulting@comcast.net p: 312.241.7800