On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway <mail@joeconway.com> wrote:
> On 02/09/2016 11:47 AM, Robert Haas wrote:
>> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfrost@snowman.net> wrote:
>>>> Whereupon you'd have no certainty that what you got represented a
>>>> complete dump of your own data.
>>>
>>> It would be a dump of what you're allowed to see, rather than an error
>>> saying you couldn't dump something you couldn't see, which is the
>>> alternative we're talking about here. Even if you've got a dependency
>>> to something-or-other, if you don't have access to it, then you're
>>> going to get an error.
>>
>> I think you're dismissing Tom's concerns far too lightly. The
>> row_security=off mode, which is the default, becomes unusable for
>> non-superusers under this proposal. That's bad. And if you switch to
>> the other mode, then you might accidentally fail to get all of the
>> data in some table you're trying to back up. That's bad too: that's
>> why it isn't the default. There's a big difference between saying
>> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
>> dumping all of the data in some table I *can* see".
>
> I don't grok what you're saying here. If I, as a non-superuser could
> somehow see all the rows in a table just by running pg_dump, including
> rows that I could not normally see due to RLS policies, *that* would be
> bad. I should have no expectation of being able to dump rows I can't
> normally see.
That's true. But I should also have an expectation that running
pg_dump won't trigger arbitrary code execution, which is why by
default, pg_dump sets row_security to OFF. That way, if a row
security policy applies, I get an error rather than an incomplete,
possibly-invalid dump (and arbitrary code execution on the server
side). If I'm OK with doing the dump subject to row security, I can
rerun with --enable-row-security. But this proposal would force
non-superusers to always use that option, and that's not a good idea.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company