Re: Using views for row-level access control is leaky
| От | KaiGai Kohei |
|---|---|
| Тема | Re: Using views for row-level access control is leaky |
| Дата | |
| Msg-id | 4AE18DBD.9010801@kaigai.gr.jp обсуждение исходный текст |
| Ответ на | Re: Using views for row-level access control is leaky (Simon Riggs <simon@2ndQuadrant.com>) |
| Список | pgsql-hackers |
Simon Riggs wrote: > On Fri, 2009-10-23 at 19:38 +0900, KaiGai Kohei wrote: >>> Also, we should presume that any function created with SECURITY DEFINER >>> and created by a superuser would have plan security, so we don't need to >>> annotate lots of old code to work securely. Annotating the built-in >>> functions is a lot easier. >> Sorry, what is happen if function is marked as "plan security"? > > I was suggesting an intelligent default by which we could determine > function marking implicitly, if it was not explicitly stated on the > CREATE FUNCTION. How to handle a (corner) case when the function owner was changed to non privileged user and its definition is replaced later? Even if someone malicious gives leakage condition on the view, possible leakable infotmation is restricted to where the owner of view can access. So, it seems to me the security mark on views by owner are sufficient. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
В списке pgsql-hackers по дате отправления: