Re: [v9.4] row level security - Mailing list pgsql-hackers

From Greg Stark
Subject Re: [v9.4] row level security
Date
Msg-id CAM-w4HOSTZh+gZxtJt+qbiFzwFQHXMiAqZJs2rxe53H+6Nn1RA@mail.gmail.com
Whole thread Raw
In response to Re: [v9.4] row level security  (Kohei KaiGai <kaigai@kaigai.gr.jp>)
Responses Re: [v9.4] row level security
Re: [v9.4] row level security
List pgsql-hackers
On Sun, Sep 1, 2013 at 8:31 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
> Or, any other criteria even though?
>
> My (current) preference is plan (c: we will be able to fix up *this*
> cover-channel with reasonable efforts on explain code. probably,
> we can close it if we don't print filtered rows under the sub-query
> with security-barrier attribute.

I think the criteria being discussed in this thread are too strict.

It may be the case that Postgres cannot make a strong general case
that it protects against covert channels. However it may still be able
to make the much weaker case that it is *possible* to arrange your
database such that the covert channels are kept under control.

So I think up above Tom is wrong about why it's ok that INSERT leaks
keys when it reports a unique key violation. The reason why it's ok
that there's a covert channel there is that the DBA can avoid that
covert channel by being careful when creating unique constraints. He
or she should be aware that creating a unique constraint implicitly
provides a kind of limited access to data to users who have INSERT
privilege even if they lack the real SELECT privilege.

Likewise, as long as the covert channels in RLS are things the DBA has
even a modicum of control over I wouldn't be too worried. Afaict from
skimming the thread it looks like creating any indexes on columns
leaks what values of the index key exist in the table. Is it the case
that non-indexed columns do not get leaked?


-- 
greg



pgsql-hackers by date:

Previous
From: Jeff Janes
Date:
Subject: Effectiveness of enable_material = off
Next
From: Andrew Dunstan
Date:
Subject: max freeze age query in docs