From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, marc(at)bloodnok(dot)com, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [PATCH] Fix leaky VIEWs for RLS |
Date: | 2010-06-07 11:53:47 |
Message-ID: | 4C0CDDCB.5050602@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 07/06/10 14:06, Stephen Frost wrote:
> * Heikki Linnakangas (heikki(dot)linnakangas(at)enterprisedb(dot)com) wrote:
>> The big difference is what information can be obtained, not how fast it
>> can be obtained.
>
> Actually, I disagree. Time required to acquire the data does matter.
Depends on the magnitude, of course. If it takes 1 year per row, that's
probably acceptable. If it takes 1 second, that's extremely slow
compared to normal queries, but most likely still disastreous from a
security point of view.
>> Imagine a table that holds username/passwords for users. Each user is
>> allowed to see his own row, including password, but not anyone else's.
>> EXPLAIN side-channel might give pretty accurate information of how many
>> rows there is in the table, and via clever EXPLAIN+statistics probing
>> you might be able to find out what the top-10 passwords are, for
>> example. But if you wanted to know what your neighbor's password is, the
>> side-channels would not help you much, but an error message would reveal
>> it easily.
>
> Using only built-ins, could you elaborate on how one could pick exactly
> what row was revealed using an error case? That strikes me as
> difficult, but perhaps I'm not thinking creatively enough.
WHERE should do it:
SELECT * FROM secrets_view WHERE username = 'neighbor' AND
password::integer = 1234;
ERROR: invalid input syntax for integer: "neighborssecretpassword"
Assuming that username = 'neighbor' is evaluated before the cast.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Florian Pflug | 2010-06-07 12:10:30 | Re: Re: [RFC][PATCH]: CRC32 is limiting at COPY/CTAS/INSERT ... SELECT + speeding it up |
Previous Message | Stephen Frost | 2010-06-07 11:06:35 | Re: [PATCH] Fix leaky VIEWs for RLS |