| From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: leaky views, yet again |
| Date: | 2010-10-07 06:02:43 |
| Message-ID: | 4CAD6283.4090908@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 07.10.2010 06:39, Robert Haas wrote:
> On Tue, Oct 5, 2010 at 3:42 PM, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Right, *column* filtering seems easy and entirely secure. The angst
>> here is about row filtering. Can we have a view in which users can see
>> the values of a column for some rows, with perfect security that they
>> can't identify values for the hidden rows? The stronger form is that
>> they shouldn't even be able to tell that hidden rows exist, which is
>> something your view doesn't try to do; but there are at least some
>> applications where that would be desirable.
>
> I took a crack at documenting the current behavior; see attached.
Looks good. It gives the impression that you need to be able to a create
custom function to exploit, though. It would be good to mention that
internal functions can be used too, revoking access to CREATE FUNCTION
does not make you safe.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2010-10-07 06:38:32 | Re: todo point: plpgsql - scrollable cursors are supported |
| Previous Message | KaiGai Kohei | 2010-10-07 03:45:55 | Re: host name support in pg_hba.conf |