Re: [0/4] Proposal of SE-PostgreSQL patches - Mailing list pgsql-hackers

From Josh Berkus
Subject Re: [0/4] Proposal of SE-PostgreSQL patches
Date
Msg-id 4821F2CC.8090908@agliodbs.com
Whole thread Raw
In response to Re: [0/4] Proposal of SE-PostgreSQL patches  (Andrew Sullivan <ajs@commandprompt.com>)
List pgsql-hackers
Andrew, Marc,

> FWIW, I support and think important the row- and column- level access
> controls this seems to be proposing, at least in principle.  Whether
> that's a support that will extend to 2x overhead on everything is
> rather a different matter.  Also, I am more than prepared to trade
> away some cases in order to get a broadly useful functionality (so if
> you can't hide the existence of a table, but all efforts to learn its
> contents don't work, I might be willing to support that trade-off).

Well, there are two different goals we can satisfy.  One is to help 
support the kind of VPS functionality that Veil is designed for, and the 
majority of users want.  The second goal is upholding the kind of 
security systems demanded by highly secure environments which have 
statutory requirements about how security should work.

That is, while Veil-like funcitonality is what most developers want, 
it's not what NSA/Banks/military want, who have their own ideas about 
security.  I think we can conceivably capture both.

I do think that SE functionality which goes beyond reasonable SQL 
requirements should be a build-time options because I don't feasably see 
ways to implement them that won't cause a big performance hit.

Also, I think you should be aware that for serious multilevel security 
hackers (one of whom will be working on Postgres soon) SEPostgres is the 
beginning and not the end.  One of the requirements of many militaries, 
for example, is not merely data hiding by data substitution, where the 
row contents you see depend on your security clearance.

Also, re: pg_dump: it's actually a desired feature that, for example, 
some users only be able to dump a subset of the database.  Including 
some DBAs.  One of the issues which SE/Mulitlevel tries to address is 
"what happens if you don't trust your DBA 100%?"  So if we can retain 
that, it's actually a feature and not a bug.

--Josh






pgsql-hackers by date:

Previous
From: Dimitri Fontaine
Date:
Subject: Re: alter + preserving dependencies
Next
From: Peter Eisentraut
Date:
Subject: Re: Posting to hackers and patches lists