Re: Multivariate MCV stats can leak data to unprivileged users
От | Tomas Vondra |
---|---|
Тема | Re: Multivariate MCV stats can leak data to unprivileged users |
Дата | |
Msg-id | 20190623200420.g5fdq54yz5f33wd3@development обсуждение исходный текст |
Ответ на | Re: Multivariate MCV stats can leak data to unprivileged users (Dean Rasheed <dean.a.rasheed@gmail.com>) |
Список | pgsql-hackers |
On Sun, Jun 23, 2019 at 06:56:53PM +0100, Dean Rasheed wrote: >On Mon, 13 May 2019 at 23:36, Tomas Vondra <tomas.vondra@2ndquadrant.com> wrote: >> >> On Fri, May 10, 2019 at 10:19:44AM +0100, Dean Rasheed wrote: >> >While working on 1aebfbea83c, I noticed that the new multivariate MCV >> >stats feature suffers from the same problem, and also the original >> >problems that were fixed in e2d4ef8de8 and earlier --- namely that a >> >user can see values in the MCV lists that they shouldn't see (values >> >from tables that they don't have privileges on). >> > >> >I think there are 2 separate issues here: >> > >> >1). The table pg_statistic_ext is accessible to anyone, so any user >> >can see the MCV lists of any table. I think we should give this the >> >same treatment as pg_statistic, and hide it behind a security barrier >> >view, revoking public access from the table. >> > >> >2). The multivariate MCV stats planner code can be made to invoke >> >user-defined operators, so a user can create a leaky operator and use >> >it to reveal data values from the MCV lists even if they have no >> >permissions on the table. >> > >> >Attached is a draft patch to fix (2), which hooks into >> >statext_is_compatible_clause(). >> > >> >> I think that patch is good. >> > >I realised that we forgot to push this second part, so I've just done so. > Whoops! Too many patches in this thread. Thanks for noticing. regards -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: