Re: Avoid orphaned objects dependencies, take 3

Hi,

On Tue, Jun 16, 2026 at 12:14:12PM -0700, Jeff Davis wrote:
> On Tue, 2026-06-16 at 10:09 +0000, Bertrand Drouvot wrote:
> > 0002: fixes it by moving aclcheck_track_record() to after the
> > permission check
> > succeeds in object_aclcheck_ext() and pg_class_aclcheck_ext().
> > Indeed, there is
> > no need to track failed permission checks.
>
> IIUC, this is necessary for correctness. If an ACL failure doesn't
> cause a transaction abort, then there's a danger that we cause the
> transaction to fail that should have succeeded.

Exactly, because we'd recheck an "harmless" failed ACL check and then produce
an error.

> So the ACL tracking needs to be precise: we can't track an ACL check
> unless a failure always causes transaction abort; and we must track an
> ACL check if it would cause a transaction abort. Right?

I would say: we just need to track (and recheck) ACL checks that succeeded.

I think that there is no reason to recheck (and so to record) a failed ACL as what
we are dealing with here is the TOCTOU window. Re-checking a failed ACL check would
handle cases when a GRANT has been given during the TOCTOU window which is not
useful (for our protection goal) compared to re-checking a REVOKE during the
TOCTOU window (as the latter would record a dependency on an object we don't have
permission on).

Doing so, as proposed in 0002, allows us to fix the "re-check a harmless failed
ACL bug" (demonstrated by the added test) and still protect us for REVOKE during
the TOCTOU window.

Thoughts?

Regards,

--
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com