Re: Review of Row Level Security

From: Andres Freund <andres(at)2ndquadrant(dot)com>
To: Kevin Grittner <kgrittn(at)mail(dot)com>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Review of Row Level Security
Date: 2012-12-19 20:12:17
Message-ID: 20121219201216.GF5910@awork2.anarazel.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 2012-12-19 14:46:18 -0500, Kevin Grittner wrote:
> Simon Riggs wrote:
>
> > This is security, not spec compliance. By default, we need full
> > security.
>
> But you are arguing that users should not be able to make something
> secure if they, and everyone with the same permissions, could not
> later access it. I thought about situations where I've seen a need
> for something like this, and probably the best fit that I've seen
> is the ability of a judge to order that something is sealed. There
> are various levels where that can happen, but I'll focus on just
> one which Wisconsin Courts have implemented at the application
> level, but which would be nice to be able to support at the
> database level.
>
> Let's say we're talking about Milwaukee County, where hundreds of
> people work for the courts and related organizations with some
> rights to view the court data. Let's say a battered wife has moved
> to a new address she wants to keep secret for safety. She files a
> case with the court for a temporary restraining order, prohibiting
> the husband from coming near her. The court needs her address for
> the official record, but the judge will order the address "sealed"
> so that only people with a certain authority can see it. The
> authority is very limited, for obvious reasons.
>
> It is quite likely that the person initially entering the address
> and flagging it as sealed will not have authority to see the
> address if they go back and look up the case. Neither will the
> dozens of other people making the same kind of entries in the
> county. Obviously, if the person doing the initial entry is a
> friend of the husband, the data is compromised; but not allowing
> entry of the data in a state sealed by people without authority to
> look it up exposes the data to every other person with entry
> authority, with fairly obvious risks.
>
> The more secure behavior is to allow entry of data which will not
> be visible by the person doing the entry.

I don't think it is that simple. Allowing inserts without regard for row
level restrictions makes it far easier to probe for data. E.g. by
inserting rows and checking for unique violations.

Greetings,

Andres Freund

--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Kevin Grittner 2012-12-19 20:23:33 Re: Review of Row Level Security
Previous Message Simon Riggs 2012-12-19 20:05:03 Re: Review of Row Level Security