| From: | Peter Geoghegan <pg(at)heroku(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Broken lock management in policy.c. |
| Date: | 2016-01-04 03:43:48 |
| Message-ID: | CAM3SWZQm-a3WamEM_FZYVcu-QpLJe9v2PvKsfxPNM7=qJt4oww@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jan 3, 2016 at 7:01 PM, Peter Geoghegan <pg(at)heroku(dot)com> wrote:
> I would also advise only referencing a single relation within the
> SELECT FOR UPDATE.
To state what may be obvious: We should recommend that SELECT FOR
SHARE appear in the CREATE POLICY USING qual as part of this
workaround (not SELECT FOR UPDATE), because there is no need for
anything stronger than that. We only need to prevent the admin
updating a referenced-in-using-qual tuple in a way that allows a
malicious user to exploit an inconsistency in tuple visibility during
EPQ rechec. (Using SELECT FOR KEY SHARE would not reliably workaround
the underlying issue, though.)
--
Peter Geoghegan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2016-01-04 03:47:07 | Re: 9.5 BLOCKER: regrole and regnamespace and quotes |
| Previous Message | Tom Lane | 2016-01-04 03:43:09 | Re: 9.5 BLOCKER: regrole and regnamespace and quotes |