Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)
От | Simon Riggs |
---|---|
Тема | Re: Updates of SE-PostgreSQL 8.4devel patches (r1197) |
Дата | |
Msg-id | 1226136204.27904.161.camel@ebony.2ndQuadrant обсуждение исходный текст |
Ответ на | Re: Updates of SE-PostgreSQL 8.4devel patches (r1197) (Bruce Momjian <bruce@momjian.us>) |
Ответы |
Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)
|
Список | pgsql-hackers |
On Fri, 2008-11-07 at 16:52 -0500, Bruce Momjian wrote: > Simon Riggs wrote: > > > > So if somebody with context x tries to delete value1 from TableB, they > > > > will be refused because of a row they cannot see. In this case the > > > > correct action is to update the tuple in TableB so it now has a > > > > security_context = y. The user with x cannot see it and can be persuaded > > > > he deleted it, while the user with y can still see it. > > > > > > It seems odd for a low-privilege user to be able to elevate the > > > privilege of a tuple above their own privilege level. I also don't > > > believe that the privilege level is a total order, which might make > > > this something of a sticky wicket. But those are just my thoughts as > > > a non-guru. > > > > The low-privilege user isn't elevating the label. If the tuple was > > visible by multiple labels it was already elevated. All I am suggesting > > is the system remove the one it can see, leaving the other ones intact. > > This makes the row appear to be deleted by the lower privileged user, > > whereas in fact it was merely updated. There need not be any ordering to > > the labels for this scheme to work. > > Simon, would you read the chapter on "covert channels"? You might > understand it better than I do and it might give you some ideas: > > http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.5950 It's probably easier just to say "here is the specification we;re working to implement". -- Simon Riggs www.2ndQuadrant.comPostgreSQL Training, Services and Support
В списке pgsql-hackers по дате отправления: