Re: SE-PostgreSQL and row level security

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Cc: bogdan(at)omnidatagrup(dot)ro, David Fetter <david(at)fetter(dot)org>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SE-PostgreSQL and row level security
Date: 2009-02-16 07:45:13
Message-ID: 20090216074513.GA24770@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Feb 16, 2009 at 11:10:19AM +0900, KaiGai Kohei wrote:
> At the previous discussion, two items were pointed out.
>
> The one is called as covert channel. When a tuple with PK is refered by
> one or more tuples with FK, row-level control prevents to update or delete
> the PK, even if the FK is invisible from users. It allows users to infer
> existence of invisible FK.

One thing I keep missing in this discussion: the term "row-level
security" in the above senstence in not the important part. Right now
you can revoke SELECT permission on a table with a foreign key and it
will still prevent UPDATEs and DELETEs of the primary key, allowing
users to infer the existance of an invisible FK.

This is the same "covert channel", so why is it a problem for
SE-Postgres and not for normal Postgres?

Is it because revoking permissions is not considered a security
mechanism or something? I'm sure it's obvious, I'm just not seeing it.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while
> boarding. Thank you for flying nlogn airlines.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message KaiGai Kohei 2009-02-16 08:33:33 Re: SE-PostgreSQL and row level security
Previous Message ITAGAKI Takahiro 2009-02-16 05:54:28 Re: connection logging dtrace probe