| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Geoghegan <pg(at)heroku(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Broken lock management in policy.c. |
| Date: | 2016-01-04 18:48:25 |
| Message-ID: | 10264.1451933305@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
[ getting back to this now that there's a little time ]
Peter Geoghegan <pg(at)heroku(dot)com> writes:
> On Sun, Jan 3, 2016 at 7:01 PM, Peter Geoghegan <pg(at)heroku(dot)com> wrote:
>> I would also advise only referencing a single relation within the
>> SELECT FOR UPDATE.
> To state what may be obvious: We should recommend that SELECT FOR
> SHARE appear in the CREATE POLICY USING qual as part of this
> workaround (not SELECT FOR UPDATE), because there is no need for
> anything stronger than that. We only need to prevent the admin
> updating a referenced-in-using-qual tuple in a way that allows a
> malicious user to exploit an inconsistency in tuple visibility during
> EPQ rechec. (Using SELECT FOR KEY SHARE would not reliably workaround
> the underlying issue, though.)
Right, SELECT FOR SHARE would be sufficient and would reduce the
concurrency penalty a bit.
It might be possible to use SELECT FOR KEY SHARE if you knew that
the column you needed to check was a unique-key column, but that
seems unlikely to be common, so I think we can omit the point from
our example.
I'll go draft something up ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Nasby | 2016-01-04 18:50:12 | Re: Accessing non catalog table in backend |
| Previous Message | Tom Lane | 2016-01-04 18:18:02 | Re: pgsql: Further tweaking of print_aligned_vertical(). |