| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
| Cc: | bogdan(at)omnidatagrup(dot)ro, David Fetter <david(at)fetter(dot)org>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SE-PostgreSQL and row level security |
| Date: | 2009-02-16 07:45:13 |
| Message-ID: | 20090216074513.GA24770@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Feb 16, 2009 at 11:10:19AM +0900, KaiGai Kohei wrote:
> At the previous discussion, two items were pointed out.
>
> The one is called as covert channel. When a tuple with PK is refered by
> one or more tuples with FK, row-level control prevents to update or delete
> the PK, even if the FK is invisible from users. It allows users to infer
> existence of invisible FK.
One thing I keep missing in this discussion: the term "row-level
security" in the above senstence in not the important part. Right now
you can revoke SELECT permission on a table with a foreign key and it
will still prevent UPDATEs and DELETEs of the primary key, allowing
users to infer the existance of an invisible FK.
This is the same "covert channel", so why is it a problem for
SE-Postgres and not for normal Postgres?
Is it because revoking permissions is not considered a security
mechanism or something? I'm sure it's obvious, I'm just not seeing it.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while
> boarding. Thank you for flying nlogn airlines.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | KaiGai Kohei | 2009-02-16 08:33:33 | Re: SE-PostgreSQL and row level security |
| Previous Message | ITAGAKI Takahiro | 2009-02-16 05:54:28 | Re: connection logging dtrace probe |