| From: | Andres Freund <andres(at)2ndquadrant(dot)com> |
|---|---|
| To: | Kevin Grittner <kgrittn(at)mail(dot)com> |
| Cc: | Simon Riggs <simon(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Review of Row Level Security |
| Date: | 2012-12-19 20:12:17 |
| Message-ID: | 20121219201216.GF5910@awork2.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2012-12-19 14:46:18 -0500, Kevin Grittner wrote:
> Simon Riggs wrote:
>
> > This is security, not spec compliance. By default, we need full
> > security.
>
> But you are arguing that users should not be able to make something
> secure if they, and everyone with the same permissions, could not
> later access it. I thought about situations where I've seen a need
> for something like this, and probably the best fit that I've seen
> is the ability of a judge to order that something is sealed. There
> are various levels where that can happen, but I'll focus on just
> one which Wisconsin Courts have implemented at the application
> level, but which would be nice to be able to support at the
> database level.
>
> Let's say we're talking about Milwaukee County, where hundreds of
> people work for the courts and related organizations with some
> rights to view the court data. Let's say a battered wife has moved
> to a new address she wants to keep secret for safety. She files a
> case with the court for a temporary restraining order, prohibiting
> the husband from coming near her. The court needs her address for
> the official record, but the judge will order the address "sealed"
> so that only people with a certain authority can see it. The
> authority is very limited, for obvious reasons.
>
> It is quite likely that the person initially entering the address
> and flagging it as sealed will not have authority to see the
> address if they go back and look up the case. Neither will the
> dozens of other people making the same kind of entries in the
> county. Obviously, if the person doing the initial entry is a
> friend of the husband, the data is compromised; but not allowing
> entry of the data in a state sealed by people without authority to
> look it up exposes the data to every other person with entry
> authority, with fairly obvious risks.
>
> The more secure behavior is to allow entry of data which will not
> be visible by the person doing the entry.
I don't think it is that simple. Allowing inserts without regard for row
level restrictions makes it far easier to probe for data. E.g. by
inserting rows and checking for unique violations.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2012-12-19 20:23:33 | Re: Review of Row Level Security |
| Previous Message | Simon Riggs | 2012-12-19 20:05:03 | Re: Review of Row Level Security |