Re: Using views for row-level access control is leaky

From: "Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov>
To: "David Fetter" <david(at)fetter(dot)org>,"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Simon Riggs" <simon(at)2ndQuadrant(dot)com>, "Marc Munro" <marc(at)bloodnok(dot)com>, "Heikki Linnakangas" <heikki(dot)linnakangas(at)enterprisedb(dot)com>, "Rod Taylor" <rod(dot)taylor(at)gmail(dot)com>, "KaiGai Kohei" <kaigai(at)kaigai(dot)gr(dot)jp>, "PostgreSQL-development" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Using views for row-level access control is leaky
Date: 2009-10-23 15:15:05
Message-ID: 4AE18229020000250002BE4A@gw.wicourts.gov
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

David Fetter <david(at)fetter(dot)org> wrote:

> One of the things the security community has learned is that the
> only way it's even possible to get an information leak rate of zero
> is to have a system which does nothing at all. It's a fact we need
> to bear in mind when addressing this or any other issue of access
> control.

And to get all old-school about it, I tend to go with the position put
forward by Admiral Grace Hopper[1] when I heard her speak at an ACM
meeting here. She said that *any* security could be broken, and that
the goal should be to put the cost of creating the breach higher for
the perpetrators than the benefits which would accrue to them. That
informs my perspective, anyway.

So, one of the first questions I ask about an information leak is
"what good would it do someone to know that?" So I don't worry too
much about someone knowing the size of my database or the number of
rows in a table, or for that matter whether county 12 has a
2009GN000317 case or how many party records have a Social Security
Number stored. I care very much that the SSN associated with a person
or a document flagged as confidential doesn't leak to unauthorized
viewers, because that information could benefit someone who obtains it
and harm others.

Perspective is more important that purity here.

-Kevin

[1] http://en.wikipedia.org/wiki/Grace_Hopper

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2009-10-23 15:28:23 Re: client_lc_messages
Previous Message Kevin Grittner 2009-10-23 15:07:18 Re: plpgsql EXECUTE will not set FOUND