(2010/11/30 21:26), Simon Riggs wrote:
> On Mon, 2010-11-29 at 21:37 -0500, Josh Kupershmidt wrote:
>> I still see little reason to make LOCK TABLE permissions different for
>> column-level vs. table-level UPDATE privileges
> This is the crux of the debate. Why should this inconsistency be allowed
> to continue?
> Are there covert channel issues here, KaiGai?
Existing database privilege mechanism (and SELinux, etc...) is not designed
to handle covert channel attacks, basically.
For example, if a user session with column-level UPDATE privilege tries
to update a certain column for each seconds depending on the contents of
other table X, other session can probably know the contents of table X
using iteration of LOCK command without SELECT permission.
It is a typical timing channel attack, but it is not a problem that we
should try to tackle, is it?
Sorry, I don't have a credible idea to solve this inconsistency right now.
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
In response to
pgsql-hackers by date
|Next:||From: Tom Lane||Date: 2010-12-01 04:17:05|
|Subject: Re: We really ought to do something about O_DIRECT and data=journalled on ext4 |
|Previous:||From: Andy Colson||Date: 2010-12-01 03:36:54|
|Subject: unlogged tables|
pgsql-general by date
|Next:||From: Greg Swisher||Date: 2010-12-01 05:31:10|
|Subject: Warm Standby log filling up with "FATAL: the database system is starting up" entries|
|Previous:||From: Vick Khera||Date: 2010-12-01 00:52:14|
|Subject: Re: Pg_upgrade question|