Re: Re: Exempting superuser from row-security isn't enough. Run predicates as DEFINER?

From: Craig Ringer <craig(at)2ndquadrant(dot)com>
To: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: Re: Exempting superuser from row-security isn't enough. Run predicates as DEFINER?
Date: 2013-11-12 04:10:51
Message-ID: 5281AA4B.5050508@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 11/11/2013 06:37 PM, Kohei KaiGai wrote:
> Hi Craig,
>
> I'd like to vote the last options. It is a separate problem (or, might
> be specification), I think.

I tend to agree, but I'm nervous about entirely hand-waving around this,
as doing so would *expand* the existing problem.

"Solving" this properly would require adding a security context and
current user to subqueries, not just for permissions checks (as
currently exists) but for execution as well.

That's a whole separate job. So I'd say that for first stage RS we
should require that row-security policies only be defined by highly
privileged users (superuser, or user granted a new SETROWSECURITY
right). Table owners can't set row security on their own tables. That
way we don't expand the existing security issue that already exists by
making it easy to attack logical backups.

Between that and the ability to grant a right that exempts users from
row security (given to just superuser by default) we should be OK with
this problem.

Admins who choose to trust users not to write malicious RS predicates,
or who only run pg_dump as superuser and have isolated users, can choose
to grant their users the right to set their own row security policies.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Noah Misch 2013-11-12 06:01:58 Re: ECPG FETCH readahead
Previous Message David Johnston 2013-11-12 03:28:15 Re: MVCC snapshot timing