Re: Side effect of CVE-2017-7484 fix?
| От | Dilip Kumar |
|---|---|
| Тема | Re: Side effect of CVE-2017-7484 fix? |
| Дата | |
| Msg-id | CAFiTN-ue+JPeZtKFJ6zGaBu8gPfCQYu=vCGnNrChqUO6FMYQwQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Side effect of CVE-2017-7484 fix? (Amit Langote <Langote_Amit_f8@lab.ntt.co.jp>) |
| Список | pgsql-hackers |
On Mon, Oct 22, 2018 at 12:05 PM Amit Langote <Langote_Amit_f8@lab.ntt.co.jp> wrote: > > Hi, > > On 2018/10/22 14:41, Stephen Frost wrote: > > Greetings, > > > > * Dilip Kumar (dilipbalaut@gmail.com) wrote: > >> As part of the security fix > >> (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the > >> users from accessing the statistics of the table if the user doesn't > >> have privileges on the table and the function is not leakproof. Now, > >> as a side effect of this, if the user has the privileges on the root > >> partitioned table but does not have privilege on the child tables, the > >> user will be able to access the data of the child table but it won't > >> be able to access the statistics of the child table. This may result > >> in a bad plan. I am not sure what should be the fix. Should we > >> allow to access the statistics of the table if a user has privilege on > >> its parent table? > > > > Yes... If the user has access to the parent table then they can see the > > child tables, so they should be able to see the statistics on them. > > Yeah, but I'd think only if access the child tables are being accessed via > the parent table. I agree. -- Regards, Dilip Kumar EnterpriseDB: http://www.enterprisedb.com
В списке pgsql-hackers по дате отправления: