The player of games

Deny database listing in postgresql

Thu, 13 Nov 2008 15:07:42 +0100

The question

Few days ago I wanted to configure a postgresql server so that users connecting to their database would not be able to see other databases. Among other things, I wanted to restrict the usage of :

psql -l database user

This command will retrieve the list of database on the server, even if the user has no access right to them. If you issue this command, you'll et something like :

                   List of databases
              Name               |  Owner   | Encoding  
---------------------------------+----------+-----------
 database_1                      | postgres | UTF8
 database_2                      | user_foo | UTF8
 ...

The solution

Well at least one solution : in each database, the special virtual table pg_database (see here for the documentation) contains the list of all the databases hosted on the server. So if we remove access rights on this table, users won't be able to list the databases anymore.

But wait, this table is available in every databases. So we need to remove these access rights on all databases. So far so good.

Oh but what if a user creates a new database ? Yes, this new database will have this pg_database table, with default access rights, which allow anybody to list its content, thus getting the list of existing databases on the server.

So what we need is to change the access rights of the pg_database on newly crated databases. How do we do that ? by connecting to the special database template1 (see here for the documentation). This database contains the default content (and their associated rights) that are used to populate newly created databases. So in addition to changing the access rights of pg_database on every databases, we'll need to do the same on template1.

Now how do we change the access right? What we want is deny users the right to get the database list. That is, extracting the database list from pg_database. That is, select'ing the data of this table. So we simply need to revoke the select permission on the table, for everybody. We do that with this command :

revoke select on pg_database from public;

Execute this query on all the databases of your server, plus on the special template1 database. Then, trying to list the databases will return :

psql -l database user
ERROR:  permission denied for relation pg_database

Problem solved.

Geek diagram

Sun, 27 Jul 2008 12:53:39 +0100

Some time ago I played with Omnigraffle because they were offering free beta licenses. I draw the electronic installation diagram of my living room, check it out.

Apache RewriteRule nightmare

Tue, 15 Jul 2008 03:14:20 +0100

I spent 2 hours banging my head against the wall regarding Apache RewriteRule. What I wanted was simple :

Redirect every http:// URLs to https://
Except if it's the atom or RSS URL
Redirect the https://.*atom.xml or rss URL to http://

And I failed. I couldn't make a pattern that says : "that doesn't end with atom.xml" or similar...

So I ended up with a compromise : only redirect /cgi-bin/mt URLs to https://. It works but I'm not quite satisfied. I'll give it another try later

booh 0.9.1 ebuild

Mon, 07 Jul 2008 14:52:23 +0100

It's been a long time since my last commit in the gentoo tree ! I had lost motivation and interest. But now I'm back with one simple goal for now : just maintain my ebuilds, don't get involved in any discussion, and take it easy :)

So I'm happy to celebrate my comeback with the much awaited ebuild for the new version of booh : 0.9.1.

This new version (well actually 0.9.0) brings a lot of new features and programs : album2booh booh-classifier booh-fix-whitebalance booh-gamma-correction webalbum2booh

Enjoy!

server reinstallation

Fri, 04 Jul 2008 01:09:07 +0100

The server I'm paying for (dedibox) crashed for unknown reason, I had to reinstall it. Luckilly enough I could boot in rescue mode and archive my important data, it helped to get everything up and running again, or at least the important bits (gentoo, apache, this blog, postgresql)

The newest addition on this server :

squid to act as proxy
backup-manager as a backup solution

backup-manager is not very powerful, but it's small, light and simple to install and configure. All you need is Perl and gettext :) It'll do until I migrate to bacula.

ssh, keychain

Fri, 16 May 2008 12:07:28 +0100

On our way back from FOSDEM, I had a quick discussion about ssh with Chris, and it motivated me to clean up all my ssh keys, passphrases, agents.

So now I use different keys for work and home, and ssh keychain on both.

Next move is to add my work identity to my home session to be able to connect directly to servers at work without having to go through my workstation at work. Without putting my home private id on my machine at work, nor copying my home public id on all servers at work. It should be possible I've heard :)

Anyway, here is briefly how I did it : ssh-keygen (dsa as main key). Then install keychain (see http://www.gentoo.org/proj/en/keychain/ and configure it a bit. I added the following script in /etc/profile.d/keychain.sh (gentoo host), and I use the built in keychain on my mac.

#!/bin/bash
# start keychain, with the private keys to be cached
/usr/bin/keychain ~/.ssh/id_dsa
# then load the generated files
for i in ~/.keychain/*-sh*; do
echo "sourcing $i"
source $i
done

I know, I know, everybody is supposed to know everything about ssh, but I'm happy to admit that I learnt 2 or 3 things while setting up everything properly. Besides, how many of you have no passphrase on your ssh key ? :)

FastCgi and Movable Type

Sun, 06 Apr 2008 05:14:37 +0100

This blog now runs on apache + mod_fastcgi. I can feel the difference, especially given the fact that the hardware is not that powerful. I was curious aboud mod_fcgid, which claims to be better but compatible, but I'm not sure why exactly (I think something to do with better timing in spawning / killing cgi persistents processes).

I was willing to move to lighttpd as well, but it looks like it's more work than just installing and configuring mod_fastcgi for apache. By the way, you have to make sure that FCGI (the Perl module) is installed otherwise Movable Type will refuse to work.

padlock encryption

Sat, 05 Apr 2008 15:00:00 +0100

This server this site is running on has a VIA CPUwith PadLock features enabled. That allows fast hardware accelerated encryption, namely AES, SHA1, SHA256. With modern kernel and openssl, there is no special patch needed. However, some application using encryption still need a patch to use the hardware feature.

If you are running a PadLock enabled Via CPU, this page has a list of patches for various linux programs. Look at the bottom of the page for contributions, and see if you're using any of these software. Even if you are using the same version, I recommend you to check if the patch hasn't been already applied by the maintainers of your linux distribution.

I applied the patchs for openssh, lighthttpd and a couple of other software.