Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
56ccff59
Commit
56ccff59
authored
Oct 08, 2010
by
Robert Haas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Warn that views can be safely used to hide columns, but not rows.
parent
9cc8c84e
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
51 additions
and
11 deletions
+51
-11
doc/src/sgml/ref/create_view.sgml
doc/src/sgml/ref/create_view.sgml
+6
-4
doc/src/sgml/rules.sgml
doc/src/sgml/rules.sgml
+45
-7
No files found.
doc/src/sgml/ref/create_view.sgml
View file @
56ccff59
...
@@ -143,10 +143,12 @@ CREATE VIEW vista AS SELECT text 'Hello World' AS hello;
...
@@ -143,10 +143,12 @@ CREATE VIEW vista AS SELECT text 'Hello World' AS hello;
<para>
<para>
Access to tables referenced in the view is determined by permissions of
Access to tables referenced in the view is determined by permissions of
the view owner. However, functions called in the view are treated the
the view owner. In some cases, this can be used to provide secure but
same as if they had been called directly from the query using the view.
restricted access to the underlying tables. However, not all views are
Therefore the user of a view must have permissions to call all functions
secure against tampering; see <xref linkend="rules-privileges"> for
used by the view.
details. Functions called in the view are treated the same as if they had
been called directly from the query using the view. Therefore the user of
a view must have permissions to call all functions used by the view.
</para>
</para>
<para>
<para>
...
...
doc/src/sgml/rules.sgml
View file @
56ccff59
...
@@ -1729,18 +1729,18 @@ SELECT * FROM shoelace;
...
@@ -1729,18 +1729,18 @@ SELECT * FROM shoelace;
<programlisting>
<programlisting>
CREATE TABLE phone_data (person text, phone text, private boolean);
CREATE TABLE phone_data (person text, phone text, private boolean);
CREATE VIEW phone_number AS
CREATE VIEW phone_number AS
SELECT person, phone FROM phone_data WHERE NOT private;
SELECT person, CASE WHEN NOT private THEN phone END AS phone
FROM phone_data;
GRANT SELECT ON phone_number TO secretary;
GRANT SELECT ON phone_number TO secretary;
</programlisting>
</programlisting>
Nobody except him (and the database superusers) can access the
Nobody except him (and the database superusers) can access the
<literal>phone_data</> table. But because of the <command>GRANT</>,
<literal>phone_data</> table. But because of the <command>GRANT</>,
the secretary can run a <command>SELECT</command> on the
the secretary can run a <command>SELECT</command> on the
<literal>phone_number</> view. The rule system will rewrite the
<literal>phone_number</> view. The rule system will rewrite the
<command>SELECT</command> from <literal>phone_number</> into a
<command>SELECT</command> from <literal>phone_number</> into a
<command>SELECT</command> from <literal>phone_data</> and add the
<command>SELECT</command> from <literal>phone_data</>.
qualification that only entries where <literal>private</> is false
Since the user is the owner of
are wanted. Since the user is the owner of
<literal>phone_number</> and therefore the owner of the rule, the
<literal>phone_number</> and therefore the owner of the rule, the
read access to <literal>phone_data</> is now checked against his
read access to <literal>phone_data</> is now checked against his
privileges and the query is permitted. The check for accessing
privileges and the query is permitted. The check for accessing
...
@@ -1774,7 +1774,41 @@ GRANT SELECT ON phone_number TO secretary;
...
@@ -1774,7 +1774,41 @@ GRANT SELECT ON phone_number TO secretary;
</para>
</para>
<para>
<para>
This mechanism also works for update rules. In the examples of
Note that while views can be used to hide the contents of certain
columns using the technique shown above, they cannot be used to reliably
conceal the data in unseen rows. For example, the following view is
insecure:
<programlisting>
CREATE VIEW phone_number AS
SELECT person, phone FROM phone_data WHERE phone NOT LIKE '412%';
</programlisting>
This view might seem secure, since the rule system will rewrite any
<command>SELECT</command> from <literal>phone_number</> into a
<command>SELECT</command> from <literal>phone_data</> and add the
qualification that only entries where <literal>phone</> does not begin
with 412 are wanted. But if the user can create his or her own functions,
it is not difficult to convince the planner to execute the user-defined
function prior to the <function>NOT LIKE</function> expression.
<programlisting>
CREATE FUNCTION tricky(text, text) RETURNS bool AS $$
BEGIN
RAISE NOTICE '% => %', $1, $2;
RETURN true;
END
$$ LANGUAGE plpgsql COST 0.0000000000000000000001;
SELECT * FROM phone_number WHERE tricky(person, phone);
</programlisting>
Every person and phone number in the <literal>phone_data</> table will be
printed as a <literal>NOTICE</literal>, because the planner will choose to
execute the inexpensive <function>tricky</function> function before the
more expensive <function>NOT LIKE</function>. Even if the user is
prevented from defining new functions, built-in functions can be used in
similar attacks. (For example, casting functions include their inputs in
the error messages they produce.)
</para>
<para>
Similar considerations apply to update rules. In the examples of
the previous section, the owner of the tables in the example
the previous section, the owner of the tables in the example
database could grant the privileges <literal>SELECT</>,
database could grant the privileges <literal>SELECT</>,
<literal>INSERT</>, <literal>UPDATE</>, and <literal>DELETE</> on
<literal>INSERT</>, <literal>UPDATE</>, and <literal>DELETE</> on
...
@@ -1782,7 +1816,11 @@ GRANT SELECT ON phone_number TO secretary;
...
@@ -1782,7 +1816,11 @@ GRANT SELECT ON phone_number TO secretary;
<literal>SELECT</> on <literal>shoelace_log</>. The rule action to
<literal>SELECT</> on <literal>shoelace_log</>. The rule action to
write log entries will still be executed successfully, and that
write log entries will still be executed successfully, and that
other user could see the log entries. But he cannot create fake
other user could see the log entries. But he cannot create fake
entries, nor could he manipulate or remove existing ones.
entries, nor could he manipulate or remove existing ones. In this
case, there is no possibility of subverting the rules by convincing
the planner to alter the order of operations, because the only rule
which references <literal>shoelace_log</> is an unqualified
<literal>INSERT</>. This might not be true in more complex scenarios.
</para>
</para>
</sect1>
</sect1>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment