public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: sreekanta reddy <[email protected]>
To: [email protected]
Subject: Re: Permissions for Newly Created User
Date: Fri, 18 Oct 2024 16:45:32 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAK5dmvD-63hFPBZ+GnuZEO9Knabpw1wnrWnrHuADjWPFF-Pgvw@mail.gmail.com>
References: <CAK5dmvD-63hFPBZ+GnuZEO9Knabpw1wnrWnrHuADjWPFF-Pgvw@mail.gmail.com>
On Fri, 2024-10-18 at 15:41 +0530, sreekanta reddy wrote:
> I would also like to suggest an enhancement to the default behavior for newly created users in PostgreSQL.
>
> Observed Issue:
> User Created: testdb
> Command used: CREATE USER testdb WITH PASSWORD 'dhsfjobodjjbsdj';
> After creating the user testdb, I observed that the user could still view objects, schemas, and their
> structures, as well as system tables and views, which contradicts the intended restricted permissions.
People have complained about that before, but that's working as designed: most metadata are visible
to everybody. Perhaps we should add that as "feature we don't want" to the TODO list.
The standard suggestion is to use different databases if users shouldn't see each other's
objects' metadata.
> Suggested Privileges for Newly Created Normal Users:
> I would like to suggest enhancements to the default behavior for newly created normal users in PostgreSQL to improve data security:
>
> Database Connection: The user should have the ability to connect only to postgres databases by default
I am not fundamentally against that, but it would be a painful compatibility break, and the
gain is small. After all, the default "pg_hba.conf" file forbids remote connections, and
you can get the same effect with the right entries in "pg_hba.conf".
> Read-Only Configurations: The user should have read-only access to view database configuration parameters.
Why? The ability to change certain parameters on the fly in your session is a feature.
> I would also like to highlight a security concern regarding password handling:
>
> When creating or altering a user's password, the log file captures the password in plain text format, which could be a potential security risk.
> However, when using the \password command in psql, the password is logged in its hashed format (SHA-256), which is a more secure practice.
> I recommend extending this hashed logging format to all password creation and modification operations.
You mean to hash it just for logging?
After you sent it to the server in clear text, so that the DBA could capture it with an
event trigger? Where is the point? The log file is to be treated as sensitive data.
Yours,
Laurenz Albe
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Permissions for Newly Created User
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox