| From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
|---|---|
| To: | obartunov(at)gmail(dot)com |
| Cc: | Greg Smith <greg(at)2ndquadrant(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [v9.4] row level security |
| Date: | 2013-08-28 12:17:19 |
| Message-ID: | CADyhKSWkHrPqbRsFK0LjPMOOTsbKGWOuN75GqYJrxCDO3CKWtA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2013/8/28 Oleg Bartunov <obartunov(at)gmail(dot)com>:
> btw, there is serious problem with row-level security and constraints. For
> example, user with low security level could use unique constraint to know
> about existence of a row with higher security. I don't know, what is the
> best practice to avoid this.
>
It is out of scope for this feature. We usually calls this type of information
leakage "covert channel"; that is not avoidable in principle.
However, its significance is minor, because attacker must know identical
data to be here, or must have proving for each possible values.
Its solution is simple. DBA should not use value to be confidential as unique
key. If needed, our recommendation is alternative key, instead of natural key,
because its value itself does not have worth.
I should add a note of caution onto the documentation according to
the previous consensus, however, I noticed it had gone from the sgml files
while I was unaware. So, let me add description on the documentation.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2013-08-28 13:02:52 | Re: Support for REINDEX CONCURRENTLY |
| Previous Message | Kohei KaiGai | 2013-08-28 11:56:06 | Re: [v9.4] row level security |