Re: Side effect of CVE-2017-7484 fix?

From: Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>
To: Stephen Frost <sfrost(at)snowman(dot)net>, Dilip Kumar <dilipbalaut(at)gmail(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Side effect of CVE-2017-7484 fix?
Date: 2018-10-22 06:35:36
Message-ID: 0e1f4466-7275-9752-a935-72b042001d55@lab.ntt.co.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

On 2018/10/22 14:41, Stephen Frost wrote:
> Greetings,
>
> * Dilip Kumar (dilipbalaut(at)gmail(dot)com) wrote:
>> As part of the security fix
>> (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
>> users from accessing the statistics of the table if the user doesn't
>> have privileges on the table and the function is not leakproof. Now,
>> as a side effect of this, if the user has the privileges on the root
>> partitioned table but does not have privilege on the child tables, the
>> user will be able to access the data of the child table but it won't
>> be able to access the statistics of the child table. This may result
>> in a bad plan. I am not sure what should be the fix. Should we
>> allow to access the statistics of the table if a user has privilege on
>> its parent table?
>
> Yes... If the user has access to the parent table then they can see the
> child tables, so they should be able to see the statistics on them.

Yeah, but I'd think only if access the child tables are being accessed via
the parent table.

So, maybe, statistic_proc_security_check() added by that commit should
return true if IS_OTHER_REL(vardata->rel)?

Thanks,
Amit

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message John Naylor 2018-10-22 06:44:27 Re: WIP: Avoid creation of the free space map for small tables
Previous Message Michael Paquier 2018-10-22 06:01:13 Re: Function to promote standby servers