Hi, On Tue, Jun 16, 2026 at 12:14:12PM -0700, Jeff Davis wrote: > On Tue, 2026-06-16 at 10:09 +0000, Bertrand Drouvot wrote: > > 0002: fixes it by moving aclcheck_track_record() to after the > > permission check > > succeeds in object_aclcheck_ext() and pg_class_aclcheck_ext(). > > Indeed, there is > > no need to track failed permission checks. > > IIUC, this is necessary for correctness. If an ACL failure doesn't > cause a transaction abort, then there's a danger that we cause the > transaction to fail that should have succeeded.
Exactly, because we'd recheck an "harmless" failed ACL check and then produce an error. > So the ACL tracking needs to be precise: we can't track an ACL check > unless a failure always causes transaction abort; and we must track an > ACL check if it would cause a transaction abort. Right? I would say: we just need to track (and recheck) ACL checks that succeeded. I think that there is no reason to recheck (and so to record) a failed ACL as what we are dealing with here is the TOCTOU window. Re-checking a failed ACL check would handle cases when a GRANT has been given during the TOCTOU window which is not useful (for our protection goal) compared to re-checking a REVOKE during the TOCTOU window (as the latter would record a dependency on an object we don't have permission on). Doing so, as proposed in 0002, allows us to fix the "re-check a harmless failed ACL bug" (demonstrated by the added test) and still protect us for REVOKE during the TOCTOU window. Thoughts? Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
