On Saturday, February 17, 2018, Olegs Jeremejevs <ol...@jeremejevs.com> wrote:
> Okay, in other words, there's no way to completely defend oneself from DoS > attacks which require having a session? If so, is there a scenario where > some bad actor can create a new user for themselves (to connect to the > database with), and not be able to do anything more damaging than that? For > example, if I can do an SQL injection, then I can do something more clever > than running a CREATE ROLE. And if not, then there's no point in worrying > about privileges in a single-tenant database? Beyond human error safeguards. > Roles that applications use should not be superuser or given createrole so your example should not arise. But any logged user can do something like: Select * from generate_series1,100000000) cross join generate_series(1,100000000) Privileges are largely valuable for information privacy and security, and preventing subtle attacks. David J.
