Re: Side effect of CVE-2017-7484 fix?

On Mon, Oct 22, 2018 at 04:43:52PM +0530, Dilip Kumar wrote:
> On Mon, Oct 22, 2018 at 11:22 AM David Fetter <david(at)fetter(dot)org> wrote:
> >
> > On Mon, Oct 22, 2018 at 11:10:09AM +0530, Dilip Kumar wrote:
> > > As part of the security fix
> > > (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> > > users from accessing the statistics of the table if the user doesn't
> > > have privileges on the table and the function is not leakproof.
> > > Now, as a side effect of this, if the user has the privileges on the
> > > root partitioned table but does not have privilege on the child
> > > tables, the user will be able to access the data of the child table
> > > but it won't be able to access the statistics of the child table.
> >
> > Do we have any kind of quantitative idea of how much worse query
> > performance gets with this blind spot?
>
> One of our customers reported the issue where they have executed the
> same query by granting privileges only on the base table vs granting
> privileges on all the partitions. The execution time was more than 2
> hours in the first case whereas it got completed in 10 seconds in the
> second case.

That's just awful. Were permissions set correctly per their threat
model, as far as you can tell? Was the query constructed correctly?
Am I understanding correctly that the query as constructed spanned one
or more partitions that the role querying didn't have permission to
see?

Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate