| From: | Oleg Bartunov <obartunov(at)gmail(dot)com> |
|---|---|
| To: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
| Cc: | Greg Smith <greg(at)2ndquadrant(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [v9.4] row level security |
| Date: | 2013-08-29 11:05:15 |
| Message-ID: | CAF4Au4y07OFDx_cg-hWfS9sVG84u-LNCRj-M8dMP68XPqEjb5g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Any constraints could be "covert channel".
On Wed, Aug 28, 2013 at 4:17 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> 2013/8/28 Oleg Bartunov <obartunov(at)gmail(dot)com>:
> > btw, there is serious problem with row-level security and constraints.
> For
> > example, user with low security level could use unique constraint to know
> > about existence of a row with higher security. I don't know, what is the
> > best practice to avoid this.
> >
> It is out of scope for this feature. We usually calls this type of
> information
> leakage "covert channel"; that is not avoidable in principle.
> However, its significance is minor, because attacker must know identical
> data to be here, or must have proving for each possible values.
> Its solution is simple. DBA should not use value to be confidential as
> unique
> key. If needed, our recommendation is alternative key, instead of natural
> key,
> because its value itself does not have worth.
>
> I should add a note of caution onto the documentation according to
> the previous consensus, however, I noticed it had gone from the sgml files
> while I was unaware. So, let me add description on the documentation.
>
> Thanks,
> --
> KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2013-08-29 11:19:33 | Re: Spinlock implementation on x86_64 (was Re: Better LWLocks with compare-and-swap (9.4)) |
| Previous Message | Dimitri Fontaine | 2013-08-29 10:16:02 | Re: Extension Templates S03E11 |