Re: Using views for row-level access control is leaky - Mailing list pgsql-hackers

From David Fetter
Subject Re: Using views for row-level access control is leaky
Date
Msg-id 20091023142423.GF28926@fetter.org
Whole thread Raw
In response to Re: Using views for row-level access control is leaky  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Using views for row-level access control is leaky
List pgsql-hackers
On Fri, Oct 23, 2009 at 10:04:29AM -0400, Tom Lane wrote:
> Simon Riggs <simon@2ndQuadrant.com> writes:
> > On Fri, 2009-10-23 at 19:38 +0900, KaiGai Kohei wrote:
> >> Sorry, what is happen if function is marked as "plan security"?
> 
> > I was suggesting an intelligent default by which we could
> > determine function marking implicitly, if it was not explicitly
> > stated on the CREATE FUNCTION.
> 
> The thought that's been in the back of my mind is that you could
> solve 99% of the performance problem if you trusted all builtin
> functions and nothing else.  This avoids the question of who gets to
> mark functions as trustable.

Great idea!

One of the things the security community has learned is that the only
way it's even possible to get an information leak rate of zero is to
have a system which does nothing at all.  It's a fact we need to bear
in mind when addressing this or any other issue of access control.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate


pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: plpgsql EXECUTE will not set FOUND
Next
From: Andrew Dunstan
Date:
Subject: Re: plpgsql EXECUTE will not set FOUND