Return-Path: postarch
Received: by postgres.Berkeley.EDU (5.61/1.29)
	id AA18421; Thu, 7 Nov 91 10:54:40 -0800
Message-Id: <9111071854.AA18421@postgres.Berkeley.EDU>
From: postarch (Postgres Mailing Archive)
Subject: Re: Postgres security
To: postgres@postgres.berkeley.edu
Sender: pg_adm@postgres.berkeley.edu
In-Reply-To: Your message of "Thu, 07 Nov 91 08:18:59 PST."
             <9111071618.AA15926@postgres.Berkeley.EDU> 
Date: Thu, 07 Nov 91 10:54:29 PST

In message <9111071618.AA15926@postgres.Berkeley.EDU> you write:

> I've just installed postgres on a Sun and I'm looking at the possibility of
> using postgres as a database server for an user accounting system I'm
> writing. I built libpq on a Convex 3220 and I wrote a sample program on
> the Convex to access a demo database on the Sun. Everything works great.
> 
> My question is: Does postgres do any kind of security checks to prevent
> unauthorized users from accessing another users database. There did not
> appear to be anykind of checks to prevent me from reading the database on
> the Sun.

Postgres is currently very weak in the area of security.  The only check it
does is against pg_user to ensure that the person using Postgres is allowed
to do so.  Any postgres user can access any database and examine any relation 
in the that database.

The postgres rule systems can provide a rather unique way of doing your
own security.  i.e. defining rules to protect your relations. There is
currently no builtin mechanism to for determining whose accessing the system,
but you can define your own function to determine this.  However,
without network security and serious DBMS support these measures would be
easy to circumvent.

> I'm also wondering if there is a postgres usenet conference.

no.


Jeff Meredith
mer@postgres.berkeley.edu