Re: lastval exposes information that currval does not

On Thu, Jul 27, 2006 at 05:01:37PM -0400, Andrew Dunstan wrote:
> Tom Lane wrote:
>
> >Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> >>What we should really do is have lastval() fail if the user does not
> >>have appropiate permissions on the schema. Having it not fail is a bug,
> >>and documenting a bug turns it not into a feature, but into a "gotcha".
> >
> >I'm unconvinced that it's either a bug or a gotcha. lastval doesn't
> >tell you which sequence it's giving you a value from, so I don't really
> >see the reasoning for claiming that there's a security hole. Also,
> >*at the time you did the nextval* you did have permissions. Does anyone
> >really think that a bad guy can't just remember the value he got?
> >lastval is merely a convenience.
>
> Is that true even if it was called by a security definer function?
>
> I too don't think that the security danger of knowing the value of a
> (possibly unknown) sequence is very high, but that's another argument.
>
> cheers
>
> andrew

Granted, I can't think of too many ways one could store sensitive
information in a sequence. I think it's more important to consider what
it implies about the system behind the issue. When I revoke some
privilege, I expect it to be enforced regardless of the method by which
one attempts to exercise that privilege.

Being able to bypass the schema usage check by using an OID rather than
a name would be one hell of a security flaw were it not that there are
relatively few ways to access information by an OID exposed. However,
there may be obscure ways to access tables or other more "serious"
information that no one has noticed yet. The fact that this behaviour
isn't exactly obvious leads me to believe developers of the server or
server extensions are likely to unknowingly expose more ways to do this.