Re: Two-phase commit security restrictions

On Wed, Oct 13, 2004 at 11:58:21PM +0700, David Garamond wrote:
> Heikki Linnakangas wrote:

> >Another approach I've been thinking about is to allow anyone that knows 
> >the (user-supplied) global transaction identifier to finish the 
> >transaction, and hide the gids of running transactions from regular 
> >users. That way, the gid acts as a secret token that's only known by the 
> >transaction manager, much like the cancel key.
> 
> Personally I prefer the last. It should be infeasible to crack as long 
> as the gid is long enough (e.g. sufficiently random 128bit value or 
> more) and the channel between the TM and Postgres is secure.

So it is possible for a user connected to the DB to send random commit
or cancel commands, just in case she happens to hit a valid GID?

-- 
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La realidad se compone de muchos sueños, todos ellos diferentes,
pero en cierto aspecto, parecidos..." (Yo, hablando de sueños eróticos)