Re: SE-PostgreSQL and row level security - Mailing list pgsql-hackers

From Tom Lane
Subject Re: SE-PostgreSQL and row level security
Date
Msg-id 16538.1234797073@sss.pgh.pa.us
Whole thread Raw
In response to Re: SE-PostgreSQL and row level security  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: SE-PostgreSQL and row level security
Re: SE-PostgreSQL and row level security
List pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> ... so the question is not "Are there covert channels?" but "Are the
> covert channels sufficiently large so as to render the system not
> useful in the real world?".

Fair enough.

> I haven't seen anyone present a shred of evidence that this would be
> the case in SE-PostgreSQL.

Sorry, but the burden of proof is in the other direction.

In any case, this was already discussed in detail in previous threads.
It's possible that you could make the database adequately secure given
appropriate design rules, such as "only use synthetic keys as foreign
keys".  (For instance consider Kevin's example of needing to hide the
case caption.  If the caption had been used directly as PK then he'd
have a problem.)  We have seen no evidence that anyone has a worked-out
set of design rules that make a SE-Postgres database secure against
these issues, so the whole thing is pie in the sky.
        regards, tom lane


pgsql-hackers by date:

Previous
From: "Kevin Grittner"
Date:
Subject: Re: SE-PostgreSQL and row level security
Next
From: "Kevin Grittner"
Date:
Subject: Re: SE-PostgreSQL and row level security