From: | Dilip Kumar <dilipbalaut(at)gmail(dot)com> |
---|---|
To: | Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Side effect of CVE-2017-7484 fix? |
Date: | 2018-10-22 12:04:19 |
Message-ID: | CAFiTN-ue+JPeZtKFJ6zGaBu8gPfCQYu=vCGnNrChqUO6FMYQwQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Oct 22, 2018 at 12:05 PM Amit Langote
<Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> wrote:
>
> Hi,
>
> On 2018/10/22 14:41, Stephen Frost wrote:
> > Greetings,
> >
> > * Dilip Kumar (dilipbalaut(at)gmail(dot)com) wrote:
> >> As part of the security fix
> >> (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> >> users from accessing the statistics of the table if the user doesn't
> >> have privileges on the table and the function is not leakproof. Now,
> >> as a side effect of this, if the user has the privileges on the root
> >> partitioned table but does not have privilege on the child tables, the
> >> user will be able to access the data of the child table but it won't
> >> be able to access the statistics of the child table. This may result
> >> in a bad plan. I am not sure what should be the fix. Should we
> >> allow to access the statistics of the table if a user has privilege on
> >> its parent table?
> >
> > Yes... If the user has access to the parent table then they can see the
> > child tables, so they should be able to see the statistics on them.
>
> Yeah, but I'd think only if access the child tables are being accessed via
> the parent table.
I agree.
--
Regards,
Dilip Kumar
EnterpriseDB: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | PG Bug reporting form | 2018-10-22 12:34:14 | BUG #15448: server process (PID 22656) was terminated by exception 0xC0000005 |
Previous Message | Dilip Kumar | 2018-10-22 11:13:52 | Re: Side effect of CVE-2017-7484 fix? |