From: | Greg Stark <gsstark(at)mit(dot)edu> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: leaky views, yet again |
Date: | 2010-10-05 18:08:15 |
Message-ID: | AANLkTinDK4DfFGKHmyPBrR48+u2FTRKdwyx0VGcdGVuj@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Oct 5, 2010 at 11:01 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> Well, the only thing I've ever wanted to do this for was to allow
> sales reps to see their own customers but not the customers of other
> sales reps (because if they could pull our complete customer list,
> then once they left and went to work for $COMPETITOR they'd start
> trying to pick off our customers; of course, we couldn't prevent them
> from maintaining a list of their own customers, and no doubt they knew
> who some of the other customers were, but they couldn't just dump out
> the complete list from the database). I agree it's hopeless to
> prevent all side-channel leaks, but I'd describe the goal like this:
>
> Prevent access to the actual tuple contents of the hidden rows.
Though I find it unlikely the sales people would have direct access to
run arbitrary SQL -- let alone create custom functions.
If the users that have select access on the view don't have DDL access
doesn't that make them leak-proof for those users?
--
greg
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2010-10-05 18:15:20 | Re: leaky views, yet again |
Previous Message | Robert Haas | 2010-10-05 18:01:25 | Re: leaky views, yet again |