| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Greg Stark <stark(at)enterprisedb(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, bogdan(at)omnidatagrup(dot)ro, David Fetter <david(at)fetter(dot)org>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SE-PostgreSQL and row level security |
| Date: | 2009-02-18 15:32:03 |
| Message-ID: | 499C29F3.2070304@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greg Stark wrote:
> On Mon, Feb 16, 2009 at 4:14 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> I'm not sure I understand what you mean by that. I expect that if I
>> deny a particular user access to SELECT from a particular table the
>> system will throw a permissions error if that user later enters
>> "SELECT * FROM <table-name>". I don't expect that the system will
>> foresee every possible alternative way that a user might able to infer
>> something about the contents of that table and block it. I similarly
>> expect that if I install SE-PostgreSQL and configure it to filter out
>> certain rows from accesses to certain tables, those rows will in fact
>> be filtered. I still don't expect it to foresee every possible
>> alternative way that a user might be able to infer something about the
>> contents of the data to which the user does not have direct access.
>>
>> Is this fundamentally a semantic issue? If there's an asymmetry here
>> in what is being claimed, I'm not seeing it.
>
>
> Well the asymmetry is that in the former case the verb is "deny" and
> the latter it's "filter"...
I had talked to some knowledgeable people involved in designing
operating system security systems about this. A major design principle
for adding "advanced" security features was to minimize the impact on
existing interfaces.
This makes a lot of sense here. The problem is that in SQL you can
uniquely address columns, but not rows. So to avoid getting permission
denied errors in the face of column-level privileges, you simply omit
the off-limits columns from the select list and restriction clauses.
You mostly do this anyway, selecting only the columns that you are
legitimately interested in. So the interface impact is low. With
row-level privileges, you can't do that. Using the "deny" approach,
you'd immediately get permission denied errors for almost all queries in
your application as soon as you start setting row-level restrictions.
The fix would be to change all queries to add a restriction clause to
get only the rows you have access to. So the interface impact would be
pretty high. With a "filter" approach, the impact is much lower.
As you try to SELinux or SEWhatever-equip a complete operating system,
including kernel, file system, networking, X windows, etc., you have to
apply this deny vs filter tradeoff over and over again, to avoid
upsetting existing interfaces.
So, according to my state of knowledge, the purpose of row-level
security is actually *not* primarily to hide the existence of
information, but merely to hide the information itself under a standard
access-control mechanism while minimizing the impact on existing interfaces.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2009-02-18 15:37:00 | SIMILAR TO bug? |
| Previous Message | Tom Lane | 2009-02-18 15:30:12 | Re: WIP: hooking parser |