Postgres Pro
Downloads
Home   >   mailing lists

Incorrect description of the WITH CHECK in the row security can lead to the security issue - Mailing list pgsql-general

From Олег Самойлов
Subject Incorrect description of the WITH CHECK in the row security can lead to the security issue
Date
Msg-id 3298321532002010@sas1-2b3c3045b736.qloud-c.yandex.net
Whole thread Raw
Responses Re: Incorrect description of the WITH CHECK in the row security can lead to the security issue  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tree view 
Hi all. This is a documentation issue, I already sent to pgsql-docs, but there is not reply.

https://www.postgresql.org/message-id/152637961531.27212.188002690528452126@wrigleys.postgresql.org

I'll try here. 

PostgreSQL 10 (in 11 the same
https://www.postgresql.org/docs/10/static/ddl-rowsecurity.html

cite
To use a different policy for rows that are being added to the table
compared to those rows that are visible, the WITH CHECK clause can be used.
This policy would allow all users to view all rows in the users table, but
only modify their own:

CREATE POLICY user_policy ON users
    USING (true)
    WITH CHECK (user_name = current_user);
end cite

This is is wrong description. Every one can steal other row with such
policy. Lets demonstrate.

You are now connected to database "olleg" as user "olleg".
olleg(at)[local]:9700/olleg
=> create table users (user_name text primary key, description text);
CREATE TABLE
olleg(at)[local]:9700/olleg
=> ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE
olleg(at)[local]:9700/olleg
=> grant all on users to public;
GRANT
=> CREATE POLICY user_policy ON users
->     USING (true)
->     WITH CHECK (user_name = current_user);
CREATE POLICY
olleg(at)[local]:9700/olleg
=> insert into users (user_name) values ('olleg');
INSERT 0 1
olleg(at)[local]:9700/olleg
=> set role postgres;
SET
olleg(at)[local]:9700/olleg
=# create user test with password 'test' login;
CREATE ROLE
=# \c olleg test localhost 9700
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384,
bits: 256, compression: off)
You are now connected to database "olleg" as user "test" on host "localhost"
at port "9700".
test(at)localhost:9700/olleg
=> select * from users;
 user_name | description 
-----------+-------------
 olleg     | 
(1 row)

test(at)localhost:9700/olleg
=> update users set user_name='test', description='a rude hack';
UPDATE 1
test(at)localhost:9700/olleg
=> select * from users;
 user_name | description 
-----------+-------------
 test      | a rude hack
(1 row)

The right statement to not allow modify rows by other user will be

CREATE POLICY user_policy ON users
    USING (user_name = current_user)
    WITH CHECK (user_name = current_user);
end cite

pgsql-general by date:

Previous
From: Raghavendra Rao J S V
Date:
Subject: Re: Is it ok to run vacuum full verbose command for live database for the tables which has more dead tuples?
Next
From: Torsten Förtsch
Date:
Subject: functions with side effect