| From: | David Garamond <lists(at)zara(dot)6(dot)isreserved(dot)com> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Two-phase commit security restrictions |
| Date: | 2004-10-14 05:00:34 |
| Message-ID: | 416E07F2.6010301@zara.6.isreserved.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera wrote:
>>>Another approach I've been thinking about is to allow anyone that knows
>>>the (user-supplied) global transaction identifier to finish the
>>>transaction, and hide the gids of running transactions from regular
>>>users. That way, the gid acts as a secret token that's only known by the
>>>transaction manager, much like the cancel key.
>>
>>Personally I prefer the last. It should be infeasible to crack as long
>>as the gid is long enough (e.g. sufficiently random 128bit value or
>>more) and the channel between the TM and Postgres is secure.
>
> So it is possible for a user connected to the DB to send random commit
> or cancel commands, just in case she happens to hit a valid GID?
It is not essentially different from someone trying to bruteforce a
password. A 128bit value like a random GUID is as strong as a 16 char
password comprising ASCII 0-255 characters. And I would argue that this
is _not_ security through obscurity. Security through obscurity is
relying on unpublished methods/algorithms. This is not.
But I understand that everybody seems to be against this idea.
--
dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2004-10-14 05:21:23 | Re: Two-phase commit security restrictions |
| Previous Message | Jan Wieck | 2004-10-14 04:29:19 | Re: First set of OSDL Shared Mem scalability results, some |