Re: ON CONFLICT issues around whole row vars,

From: Peter Geoghegan <pg(at)heroku(dot)com>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: ON CONFLICT issues around whole row vars,
Date: 2015-10-01 23:13:12
Message-ID: CAM3SWZRYM2rhv3rwU1rKFneNHgcQPmm+ZXFYJg_xfkWnjh4jaQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Oct 1, 2015 at 3:42 AM, Andres Freund <andres(at)anarazel(dot)de> wrote:
> Yes, that what I think as well. At this point we'll already have
> executed insert rls stuff on the EXCLUDED tuple:
> /*
> * Check any RLS INSERT WITH CHECK policies
> *
> * ExecWithCheckOptions() will skip any WCOs which are not of the kind
> * we are looking for at this point.
> */
> if (resultRelInfo->ri_WithCheckOptions != NIL)
> ExecWithCheckOptions(WCO_RLS_INSERT_CHECK,
> resultRelInfo, slot, estate);
> and before executing the actual projection we also checked the existing
> tuple:
> ExecWithCheckOptions(WCO_RLS_CONFLICT_CHECK, resultRelInfo,
> mtstate->mt_existing,
> mtstate->ps.state);
>
> after the update triggers have, if applicable run, we run the the normal
> checks there as well because it's just ExecUpdate()
> if (resultRelInfo->ri_WithCheckOptions != NIL)
> ExecWithCheckOptions(WCO_RLS_UPDATE_CHECK,
> resultRelInfo, slot, estate);
>
> so I do indeed think that there's no point in layering RLS above
> EXCLUDED.

I see your point, I think. It might be a problem if we weren't already
making the statement error out, but we are.

However, we're checking the excluded tuple (the might-be-inserted,
might-be-excluded tuple that reflects before row insert trigger
effects) with WCO_RLS_INSERT_CHECK, not WCO_RLS_UPDATE_CHECK. The
WCO_RLS_UPDATE_CHECK applies to the tuple to be appended to the
relation (the tuple that an UPDATE makes supersede some existing
tuple, a new row version).

We all seem to be in agreement that excluded.* ought to be subject to
column-level privilege enforcement, mostly due to possible leaks with
before row insert triggers (these could be SoD; a malicious UPSERT
could be written a certain way). None of the checks in the code above
are the exact RLS equivalent of the principle we have for column
privileges, AFAICT, because update-applicable policies (everything but
insert-applicable policies, actually) are not checked against the
excluded tuple. Shouldn't select-applicable policies also be applied
to the excluded tuples, just as with UPDATE ... FROM "join from"
tables, which excluded is kinda similar to?

I'm not trying to be pedantic; I just don't grok the underlying
principles here. Couldn't a malicious WHERE clause leak the excluded.*
tuple contents (and cause the UPDATE to not proceed) before the
WCO_RLS_CONFLICT_CHECK call site was reached, while also preventing it
from ever actually being reached (with a malicious function that
returns false after stashing excluded.* elsewhere)? You can put
volatile functions in UPDATE WHERE clauses, even if it is generally a
bad idea.

Perhaps I'm simply not following you here, though. I think that this
is one challenge with having per-command policies with a system that
checks permissions dynamically (not during parse analysis). Note that
I'm not defending the status quo of the master branch -- I'm just a
little uneasy about what the ideal, least surprising behavior is here.

--
Peter Geoghegan

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2015-10-01 23:17:48 Re: ON CONFLICT issues around whole row vars,
Previous Message Tom Lane 2015-10-01 22:36:06 Re: Idea for improving buildfarm robustness