| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | josh(at)agliodbs(dot)com |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) |
| Date: | 2008-09-24 03:06:29 |
| Message-ID: | 17754.1222225589@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> Multilevel frameworks have concepts of data hiding and data substitution
> based on labels. That is, if a user doesn't have permissions on data,
> he's not merely supposed to be denied access to it, he's not even supposed
> to know that the data exists. In extreme cases (think military / CIA use)
> data at a lower security level should be substitited for the higher
> security level data which the user isn't allowed. Silently.
Yeah, that's what I keep hearing that the spooks think they want.
I can't imagine how it would play nice with SQL-standard integrity
constraints. Data that apparently violates a foreign-key constraint,
for example, would give someone a pretty good clue that there's
something there he's not being allowed to see.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2008-09-24 03:18:23 | Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) |
| Previous Message | Alvaro Herrera | 2008-09-24 02:53:46 | Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep) |