Re: Side effect of CVE-2017-7484 fix?

From: Dilip Kumar <dilipbalaut(at)gmail(dot)com>
To: Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Side effect of CVE-2017-7484 fix?
Date: 2018-10-22 12:04:19
Message-ID: CAFiTN-ue+JPeZtKFJ6zGaBu8gPfCQYu=vCGnNrChqUO6FMYQwQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Oct 22, 2018 at 12:05 PM Amit Langote
<Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> wrote:
>
> Hi,
>
> On 2018/10/22 14:41, Stephen Frost wrote:
> > Greetings,
> >
> > * Dilip Kumar (dilipbalaut(at)gmail(dot)com) wrote:
> >> As part of the security fix
> >> (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> >> users from accessing the statistics of the table if the user doesn't
> >> have privileges on the table and the function is not leakproof. Now,
> >> as a side effect of this, if the user has the privileges on the root
> >> partitioned table but does not have privilege on the child tables, the
> >> user will be able to access the data of the child table but it won't
> >> be able to access the statistics of the child table. This may result
> >> in a bad plan. I am not sure what should be the fix. Should we
> >> allow to access the statistics of the table if a user has privilege on
> >> its parent table?
> >
> > Yes... If the user has access to the parent table then they can see the
> > child tables, so they should be able to see the statistics on them.
>
> Yeah, but I'd think only if access the child tables are being accessed via
> the parent table.

I agree.

--
Regards,
Dilip Kumar
EnterpriseDB: http://www.enterprisedb.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message PG Bug reporting form 2018-10-22 12:34:14 BUG #15448: server process (PID 22656) was terminated by exception 0xC0000005
Previous Message Dilip Kumar 2018-10-22 11:13:52 Re: Side effect of CVE-2017-7484 fix?