From: | "David Johnston" <polobo(at)yahoo(dot)com> |
---|---|
To: | "'Andres Freund'" <andres(at)2ndquadrant(dot)com>, "'Kevin Grittner'" <kgrittn(at)mail(dot)com> |
Cc: | "'Simon Riggs'" <simon(at)2ndquadrant(dot)com>, "'Tom Lane'" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "'Robert Haas'" <robertmhaas(at)gmail(dot)com>, "'Kohei KaiGai'" <kaigai(at)kaigai(dot)gr(dot)jp>, "'PostgreSQL-development'" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Review of Row Level Security |
Date: | 2012-12-19 20:48:13 |
Message-ID: | 013c01cdde2a$2a716680$7f543380$@yahoo.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> > The more secure behavior is to allow entry of data which will not be
> > visible by the person doing the entry.
>
> I don't think it is that simple. Allowing inserts without regard for row
level
> restrictions makes it far easier to probe for data. E.g. by inserting rows
and
> checking for unique violations.
>
So the PK column(s) are not as secure as, say, the address-related column.
Vice-versa I may know that someone lives at a given address (because my
attempt to place someone else there failed) but I would have no way of
knowing who that other person is. My recourse would be to escalate the
data-entry request to someone with higher security permissions who could
read and write to the appropriate tables and resolve the conflict. In both
cases the direct write-only situation necessitates that some level of
exposure occurs. The work-around if that is unacceptable would be to accept
all data but any entries that cannot be directly inserted into the table
would remain in a staging area that someone with higher security would have
to monitor and clear as needed. The same intervention is required but in
the first situation you can at least avoid coding the special logic and
instead trade security for ease-of-use.
As a default level of security we could throw a generic "secure DLL rejected
for ROW(...)" and not tell the user anything about the cause. If that
person knows all unique indexes and constraints defined on the table they
could use trial-and-error to discover information about stored records but
even then if they get an error on two different columns they still have no
way of knowing if those "errors" belong to the same record.
Beyond that level you provide the user with some information as to the cause
so that they have a reasonable chance to catch typos and other mistakes
instead of escalating an benign issue.
Lastly is the custom solution whereby the developers accept ALL data entered
as being correct but saved to a staging table. A review process by someone
with higher security clearances would then process and clear out that table
as necessary. If the user is write-only then regardless of whether the
entry succeeded or failed they are considered to be "done" with their task
at that point and no meaningful results from the system can be supplied to
them.
None of these options disallows the presence of non-security related check
constraints to be checked, enforced, and communicated to the user.
I've probably lost sight of the bigger picture as my response to mostly
informed by these last couple of messages.
David J.
> Greetings,
>
> Andres Freund
>
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2012-12-19 20:49:07 | Re: Review of Row Level Security |
Previous Message | Kevin Grittner | 2012-12-19 20:37:54 | Re: Review of Row Level Security |