KaiGai Kohei wrote:
Bruce Momjian wrote:
KaiGai Kohei wrote:
Bruce Momjian wrote:
I think we could use row-level access control to prevent people from
seeing databases they should not see in pg_database.
The row-level database ACL which I submitted yesterdat does not allow
to assign ACLs to tuples within system catalogs (like pg_database),
because it is unclear who should be the owner of tuples.
As I noted at the previous message, it considers the owner of the table
as the owner of the tuples due to several reasons. However, some of
system
catalogs have its owner field like "pg_proc.proowner".
This limitation is not a fundamental one, so we can remove it soon.
But, who should be the owner of tuples within system catalogs which have
some kind of "owner" field.
The Postgres super-user should be the owner of all system tables.
OK, I'll update it soon.
I updates my patches:
[1/6]
http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1130.patch
[2/6]
http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r1130.patch
[3/6]
http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1130.patch
[4/6]
http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1130.patch
[5/6]
http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1130.patch
[6/6]
http://sepgsql.googlecode.com/files/sepostgresql-row_acl-8.4devel-3-r1130.patch
List of updates:
- Fixbug: security identifier was not handled correctly on TOAST table
when we repeat to enable/disable the security feature.
- RowACL: remove limitation on system catalogs
- RowACL: the default behavior is changed when we access tuples with no
row-level ACL. The previous version applies ACL inherited from
its table, but the newer one allows anything to public, because
the previous behavior makes problem when you restrict access via
VIEWs.
- RowACL: bugfix when we provide an empty string as a new row-level ACL.
* An example to limit the list of pg_database
[EMAIL PROTECTED] ~]$ psql postgres
psql (8.4devel)
Type "help" for help.
postgres=# CREATE DATABASE test1;
CREATE DATABASE
postgres=# CREATE DATABASE test2;
CREATE DATABASE
postgres=# CREATE DATABASE test3;
CREATE DATABASE
postgres=# UPDATE pg_database SET tuple_acl = '{ymj=r/kaigai}'
WHERE datname like 'test%';
UPDATE 3
postgres=# UPDATE pg_database SET tuple_acl = rowacl_revoke(tableoid,
tuple_acl, 'ymj', 'all')
WHERE datname = 'test2';
UPDATE 1
postgres=# \l
List of databases
Name | Owner | Encoding | Collation | Ctype | Access
Privileges
-----------+--------+----------+-------------+-------------+-------------------------------
postgres | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
{=c/kaigai,kaigai=CTc/kaigai}
template1 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
{=c/kaigai,kaigai=CTc/kaigai}
test1 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
test2 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
test3 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
(6 rows)
postgres=# \q
(*) kaigai (superuser) can see test1, test2 and test3.
[EMAIL PROTECTED] ~]$ psql -Uymj postgres
psql (8.4devel)
Type "help" for help.
postgres=> \l
List of databases
Name | Owner | Encoding | Collation | Ctype | Access
Privileges
-----------+--------+----------+-------------+-------------+-------------------------------
postgres | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
{=c/kaigai,kaigai=CTc/kaigai}
template1 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
{=c/kaigai,kaigai=CTc/kaigai}
test1 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
test3 | kaigai | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
(5 rows)
(*) ymj (normal user) cannot see test2 because kaigai revoked it.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[EMAIL PROTECTED]>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
