| From: | justin(dot)catterson(at)sofiebio(dot)com |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #13694: Row Level Security by-passed with CREATEUSER permission |
| Date: | 2015-10-21 16:42:33 |
| Message-ID: | 20151021164233.3017.94954@wrigleys.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
The following bug has been logged on the website:
Bug reference: 13694
Logged by: Justin Catterson
Email address: justin(dot)catterson(at)sofiebio(dot)com
PostgreSQL version: 9.5beta1
Operating system: Ubuntu 14.10 x64
Description:
Users with the CREATEUSER permission do not evaluate Row Level Security
functions. pg_user usebypassrls is set to false.
To repeat:
CREATE POLICY ... WITH CHECK ((Select myFunction()))
CREATE USER my_user;
ALTER USER my_user WITH CREATEUSER;
Have myFunction() return a result of False;
Update a record belonging to policy.
Record will successfully update, when it should fail.
ALTER USER my_user WITH NOCREATEUSER;
Update a record belonging to policy.
Record will fail as expected.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Conway | 2015-10-21 18:05:13 | Re: BUG #13694: Row Level Security by-passed with CREATEUSER permission |
| Previous Message | n8vred | 2015-10-21 11:32:25 | BUG #13692: Error when run silent installation whith alredy installed PG9.4 |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2015-10-21 17:31:26 | Re: COPY FREEZE and PD_ALL_VISIBLE |
| Previous Message | Robbie Harwood | 2015-10-21 16:39:27 | Re: [PATCH v3] GSSAPI encryption support |