Search Postgresql Archives

Re: Rationale for PUBLIC having CREATE and USAGE privileges on the schema "public" by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday, February 17, 2018, Olegs Jeremejevs <olegs@xxxxxxxxxxxxxx> wrote:
Okay, in other words, there's no way to completely defend oneself from DoS attacks which require having a session? If so, is there a scenario where some bad actor can create a new user for themselves (to connect to the database with), and not be able to do anything more damaging than that? For example, if I can do an SQL injection, then I can do something more clever than running a CREATE ROLE. And if not, then there's no point in worrying about privileges in a single-tenant database? Beyond human error safeguards.

Roles that applications use should not be superuser or given createrole so your example should not arise.  But any logged user can do something like:

Select * from generate_series1,100000000) cross join generate_series(1,100000000)

Privileges are largely valuable for information privacy and security, and preventing subtle attacks.

David J.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux