tags:

views:

31

answers:

2
+1  Q: 

PostgreSQL/PHP custom CMS - multiple schemas within single database security.

Hi. I am writing a CMS using PHP and PostgreSQL. The CMS is capable of running multiple sites from a single codebase, using a unique set of tables per site / domain, differeing depending on which features are enabled.

I understand that PostgreSQL supports multiple schemas within a single database, and that access permissions are then set by schema.

My question is whether there are any security implications using a single schema per site within the same database?

This question has been really helpful in understanding the pros and cons either way, however it does not mention security aspects. The chosen answer states that PostgreSQL "schema" is equivalent to MySQL "database". If this is the case I'm comfortable with this approach. However, are there any security issues I should be aware of? My understanding is that the granular permissions used by PostgreSQL should protect each schema within a given database, however I'm not 100% sure on this.

Will this setup also make it possible to query across multiple schemas within a single query for a user with permissions on multiple schemas?

Any thoughts would be greatly appreciated, thanks in advance.

+1  A: 

Yes, a user with the appropriate permissions could query across schemas. Just make sure to prefix the table names with the schema name.

Security-wise, as long as you are using a separate user account for each schema which only has access to that schema, there shouldn't be a difference compared to using separate databases.

BenV  2010-07-15 20:23:06
+1  A: 

They will be able to see that the other schema and tables exists, but they won't be able to access them. The Postgres catalogs which contain such information can't be locked down like that. Its a known "limitation" of separation by schema.

Otherwise, as long as the security is setup correctly, they shouldn't be able to access any information by outside their schema.

And yes, you can make a user query across any schema/table/object that they have access to, so long as its either in the search_path or by explicitly qualifying it.

rfusca  2010-07-16 01:22:04
2 great answer, thanks to both. Marked this as used due to additional schema visibility 'gotcha'!
CitrusTree  2010-07-16 11:24:23

related questions

How do I (or can I) SELECT DISTINCT on multiple columns (postgresql)?
Is it possible to make a recursive SQL query ?
What does it mean when a PostgreSQL process is "idle in transaction"?
C# .NET + PostgreSQL
Possible to perform cross-database queries with postgres?
Cascading deletes in PostgreSQL
How to concatenate strings of a string field in a PostgreSQL 'group by' query?
Languages other than SQL in postgres
How to prevent Write Ahead Logging on just one table in PostgreSQL?
Using MS Access & ODBC to connect to a remote PostgreSQL
Reasons for SQL differences
PostgreSQL perfomance monitoring tool
How do you use script variables in PostgreSQL?
MySQL vs PostgreSQL for Web Applications
joining latest of various usermetadata tags to user rows
Good strategy for leaving an audit trail/change history for DB applications?
PostgreSQL: GIN or GiST indexes?
Migrating from MySQL to PostgreSQL
What's the preferred way to connect to a postgresql database from PHP?
Use for the phppgadmin Reports Database?
Recommendation for a PostgreSQL Programming Tutorial?
SQL Case Statement Syntax?
What language do you use for Postgresql triggers and stored procedures?
String literals and escape characters in postgresql
Python and MySQL