Re: Incorrect description of the WITH CHECK in the row security can lead to the security issue - Mailing list pgsql-general

From Tom Lane
Subject Re: Incorrect description of the WITH CHECK in the row security can lead to the security issue
Date
Msg-id 7182.1532966291@sss.pgh.pa.us
Whole thread Raw
In response to Incorrect description of the WITH CHECK in the row security can lead to the security issue  (Олег Самойлов <splarv@ya.ru>)
List pgsql-general
=?utf-8?B?0J7Qu9C10LMg0KHQsNC80L7QudC70L7Qsg==?= <splarv@ya.ru> writes:
> PostgreSQL 10 (in 11 the same
> https://www.postgresql.org/docs/10/static/ddl-rowsecurity.html
> cite
> To use a different policy for rows that are being added to the table
> compared to those rows that are visible, the WITH CHECK clause can be used.
> This policy would allow all users to view all rows in the users table, but
> only modify their own:

> CREATE POLICY user_policy ON users
>     USING (true)
>     WITH CHECK (user_name = current_user);
> end cite

> This is is wrong description. Every one can steal other row with such
> policy.

Yup, you're right, this is too simple.

> The right statement to not allow modify rows by other user will be

> CREATE POLICY user_policy ON users
>     USING (user_name = current_user)
>     WITH CHECK (user_name = current_user);

Well, that also hides the other users' rows, which is not what the
example claims to do.  To make it work as documented, we need something
like

CREATE POLICY user_sel_policy ON users
    FOR SELECT
    USING (true);
CREATE POLICY user_mod_policy ON users
    USING (user_name = current_user);

I've pushed a patch along that line.  Thanks for the report!

            regards, tom lane


pgsql-general by date:

Previous
From: Didier Wiroth
Date:
Subject: jndi jdbc url with ssl authenticat in tomcat ... failsorg.xml.sax.SAXParseException columnNumber: 79; The reference to entity "ssl"must end with the ';' delimiter
Next
From: Rob Sargent
Date:
Subject: alter table docs