Bruce Momjian wrote:
KaiGai Kohei wrote:
Robert Haas wrote:
Can you *do* the row-level permission?
I don't think there's any consensus on a design.
Yes, unfortunatelly.
No one replied to my proposed design:
http://marc.info/?l=pgsql-hackers&m=122222470930544&w=2
Yes, we got stuck on the covert channels issue. Frankly I think the use
of non-natural keys addresses most of the covert channel issues and
should be recommended for secure setups --- I don't think we are going to
do any better than that and think we need to move forward on that
assumption. We can cite
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.5950, which
outlines the security risks.
I talked to someone in the Solaris Trusted Extension group last week.
Their stance is basically that they don't worry about covert channels,
because it is too hard or impossible to get right. Their main criterion
about what to hide is what gives existing applications a consistent view
of the world in spite of the presence of additional access controls, for
example to avoid being forced to return errors to applications that
cannot happen in normal circumstances.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
