| From: | Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> |
|---|---|
| To: | David Garamond <lists(at)zara(dot)6(dot)isreserved(dot)com> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Two-phase commit security restrictions |
| Date: | 2004-10-13 18:20:22 |
| Message-ID: | 20041013182022.GA10052@dcc.uchile.cl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 13, 2004 at 11:58:21PM +0700, David Garamond wrote:
> Heikki Linnakangas wrote:
> >Another approach I've been thinking about is to allow anyone that knows
> >the (user-supplied) global transaction identifier to finish the
> >transaction, and hide the gids of running transactions from regular
> >users. That way, the gid acts as a secret token that's only known by the
> >transaction manager, much like the cancel key.
>
> Personally I prefer the last. It should be infeasible to crack as long
> as the gid is long enough (e.g. sufficiently random 128bit value or
> more) and the channel between the TM and Postgres is secure.
So it is possible for a user connected to the DB to send random commit
or cancel commands, just in case she happens to hit a valid GID?
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La realidad se compone de muchos sueños, todos ellos diferentes,
pero en cierto aspecto, parecidos..." (Yo, hablando de sueños eróticos)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2004-10-13 19:11:54 | Re: open item: tablespace handing in pg_dump/pg_restore |
| Previous Message | Josh Berkus | 2004-10-13 18:13:55 | Re: Hypothetical Indexes |