Skip site navigation (1) Skip section navigation (2)

Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().

From: Simon Riggs <simon(at)2ndQuadrant(dot)com>
To: Robert Haas <rhaas(at)postgresql(dot)org>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().
Date: 2010-07-09 14:51:27
Message-ID: 1278687087.29736.355.camel@ebony (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
On Fri, 2010-07-09 at 14:06 +0000, Robert Haas wrote:
> Log Message:
> -----------
> Add a hook in ExecCheckRTPerms().
> 
> This hook allows a loadable module to gain control when table permissions
> are checked.  It is expected to be used by an eventual SE-PostgreSQL
> implementation, but there are other possible applications as well.  A
> sample contrib module can be found in the archives at:
> 
> http://archives.postgresql.org/pgsql-hackers/2010-05/msg01095.php
> 

The loadable module doesn't "gain control" here it simplify kicks-in
after, and in addition to, normal checking. That just means you have the
option of failing for additional reasons.

We're not passing in any form of context other than the rangetable so
what additional reasons could there be? This is of no use to anything
that uses object labelling. We're not even at the part of the executor
where we would be able to identify objects yet, so I can't see what
value this brings. Though I am certainly in favour in general terms of
simple changes to enhance security configuration features.

Strangely, I was looking into removing the ExecCheckRTPerms check
altogether by forcing plan invalidation when permissions are updated.
That would be a performance tweak that would render this change useless.

-- 
 Simon Riggs           www.2ndQuadrant.com


In response to

Responses

pgsql-hackers by date

Next:From: Stephen FrostDate: 2010-07-09 14:52:22
Subject: Re: [v9.1] Add security hook on initialization ofinstance
Previous:From: Robert HaasDate: 2010-07-09 14:35:10
Subject: Re: including backend ID in relpath of temp rels - updated patch

pgsql-committers by date

Next:From: Robert HaasDate: 2010-07-09 15:07:30
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().
Previous:From: Robert HaasDate: 2010-07-09 14:26:14
Subject: Re: [COMMITTERS] pgsql: Stamp HEAD as 9.1devel.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group