Re: leaky views, yet again
Joshua D. Drake <jd@commandprompt.com>
From: "Joshua D. Drake" <jd@commandprompt.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Greg Stark <gsstark@mit.edu>, Tom Lane <tgl@sss.pgh.pa.us>, KaiGai Kohei <kaigai@kaigai.gr.jp>, KaiGai Kohei <kaigai@ak.jp.nec.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2010-10-05T18:59:43Z
Lists: pgsql-hackers
On Tue, 2010-10-05 at 14:49 -0400, Robert Haas wrote: > On Tue, Oct 5, 2010 at 2:08 PM, Greg Stark <gsstark@mit.edu> wrote: > > Though I find it unlikely the sales people would have direct access to > > run arbitrary SQL -- let alone create custom functions. > > I have definitely seen shops where virtually everyone has SQL-level > access to the database. Uhh... yeah it is very common to point access at the database and say go for it. Very common. > Several of them. Most of them were pretty > insecure, but it certainly doesn't help anything when the database has > no capability to do anything better. Now, I will grant you that not > everyone in those organizations was actually smart enough to do > meaningful things with the access they had, but I never found that > very comforting. The better argument here is, the majority (by far, just google it) of espionage is done IN HOUSE. It doesn't matter if it is a sales person. It could be a disgruntled DBA. JD -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt