| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Pierre Ducroquet <p(dot)psql(at)pinaraf(dot)info>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Row Level Security − leakproof-ness and performance implications |
| Date: | 2019-02-28 14:12:25 |
| Message-ID: | CA+TgmoZt1MDhP1Bd5j5TXVdzxJVOPqAKO6g=PFP0HMBQOjBaow@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Feb 27, 2019 at 6:03 PM Joe Conway <mail(at)joeconway(dot)com> wrote:
> Patch for discussion attached.
So... you're just going to replace ALL error messages of any kind with
"ERROR: missing error text" when this option is enabled? That sounds
unusable. I mean if I'm reading it right this would get not only
messages from SQL-callable functions but also things like "deadlock
detected" and "could not read block %u in file %s" and "database is
not accepting commands to avoid wraparound data loss in database with
OID %u". You can't even shut it off conveniently, because the way
you've designed it it has to be PGC_POSTMASTER to avoid TOCTTOU
vulnerabilities. Maybe I'm misreading the patch?
I don't think it would be crazy to have a mode where we try to redact
the particular error messages that might leak information, but I think
we'd need to make it only those. A wild idea might be to let
proleakproof take on three values: yes, no, and maybe. When 'maybe'
functions are involved, we tell them whether or not the current query
involves any security barriers, and if so they self-censor.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2019-02-28 14:15:34 | Re: Drop type "smgr"? |
| Previous Message | Alexander Kuzmenkov | 2019-02-28 14:09:34 | Re: Removing unneeded self joins |