Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Volgen 1
Ster 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branch: master
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/rules-privileges.html

157 lines
12KB
Ruw Permalink Blame Geschiedenis 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>40.5. Rules and Privileges</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="rules-update.html" title="40.4. Rules on INSERT, UPDATE, and DELETE" /><link rel="next" href="rules-status.html" title="40.6. Rules and Command Status" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">40.5. Rules and Privileges</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="rules-update.html" title="40.4. Rules on INSERT, UPDATE, and DELETE">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="rules.html" title="Chapter 40. The Rule System">Up</a></td><th width="60%" align="center">Chapter 40. The Rule System</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="rules-status.html" title="40.6. Rules and Command Status">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="RULES-PRIVILEGES"><div class="titlepage"><div><div><h2 class="title" style="clear: both">40.5. Rules and Privileges</h2></div></div></div><a id="id-1.8.6.10.2" class="indexterm"></a><a id="id-1.8.6.10.3" class="indexterm"></a><p>

  3.     Due to rewriting of queries by the <span class="productname">PostgreSQL</span>

  4.     rule system, other tables/views than those used in the original

  5.     query get accessed. When update rules are used, this can include write access

  6.     to tables.

  7. </p><p>

  8.     Rewrite rules don't have a separate owner. The owner of

  9.     a relation (table or view) is automatically the owner of the

  10.     rewrite rules that are defined for it.

  11.     The <span class="productname">PostgreSQL</span> rule system changes the

  12.     behavior of the default access control system. Relations that

  13.     are used due to rules get checked against the

  14.     privileges of the rule owner, not the user invoking the rule.

  15.     This means that users only need the required privileges

  16.     for the tables/views that are explicitly named in their queries.

  17. </p><p>

  18.     For example: A user has a list of phone numbers where some of

  19.     them are private, the others are of interest for the assistant of the office.

  20.     The user can construct the following:

  21. 

  22. </p><pre class="programlisting">

  23. CREATE TABLE phone_data (person text, phone text, private boolean);

  24. CREATE VIEW phone_number AS

  25.     SELECT person, CASE WHEN NOT private THEN phone END AS phone

  26.     FROM phone_data;

  27. GRANT SELECT ON phone_number TO assistant;

  28. </pre><p>

  29. 

  30.     Nobody except that user (and the database superusers) can access the

  31.     <code class="literal">phone_data</code> table. But because of the <code class="command">GRANT</code>,

  32.     the assistant can run a <code class="command">SELECT</code> on the

  33.     <code class="literal">phone_number</code> view. The rule system will rewrite the

  34.     <code class="command">SELECT</code> from <code class="literal">phone_number</code> into a

  35.     <code class="command">SELECT</code> from <code class="literal">phone_data</code>.

  36.     Since the user is the owner of

  37.     <code class="literal">phone_number</code> and therefore the owner of the rule, the

  38.     read access to <code class="literal">phone_data</code> is now checked against the user's

  39.     privileges and the query is permitted. The check for accessing

  40.     <code class="literal">phone_number</code> is also performed, but this is done

  41.     against the invoking user, so nobody but the user and the

  42.     assistant can use it.

  43. </p><p>

  44.     The privileges are checked rule by rule. So the assistant is for now the

  45.     only one who can see the public phone numbers. But the assistant can set up

  46.     another view and grant access to that to the public. Then, anyone

  47.     can see the <code class="literal">phone_number</code> data through the assistant's view.

  48.     What the assistant cannot do is to create a view that directly

  49.     accesses <code class="literal">phone_data</code>.  (Actually the assistant can, but it will not work since

  50.     every access will be denied during the permission checks.)

  51.     And as soon as the user notices that the assistant opened

  52.     their <code class="literal">phone_number</code> view, the user can revoke the assistant's access. Immediately, any

  53.     access to the assistant's view would fail.

  54. </p><p>

  55.     One might think that this rule-by-rule checking is a security

  56.     hole, but in fact it isn't.   But if it did not work this way, the assistant

  57.     could set up a table with the same columns as <code class="literal">phone_number</code> and

  58.     copy the data to there once per day. Then it's the assistant's own data and

  59.     the assistant can grant access to everyone they want. A

  60.     <code class="command">GRANT</code> command means, <span class="quote">“<span class="quote">I trust you</span>”</span>.

  61.     If someone you trust does the thing above, it's time to

  62.     think it over and then use <code class="command">REVOKE</code>.

  63. </p><p>

  64.     Note that while views can be used to hide the contents of certain

  65.     columns using the technique shown above, they cannot be used to reliably

  66.     conceal the data in unseen rows unless the

  67.     <code class="literal">security_barrier</code> flag has been set.  For example,

  68.     the following view is insecure:

  69. </p><pre class="programlisting">

  70. CREATE VIEW phone_number AS

  71.     SELECT person, phone FROM phone_data WHERE phone NOT LIKE '412%';

  72. </pre><p>

  73.     This view might seem secure, since the rule system will rewrite any

  74.     <code class="command">SELECT</code> from <code class="literal">phone_number</code> into a

  75.     <code class="command">SELECT</code> from <code class="literal">phone_data</code> and add the

  76.     qualification that only entries where <code class="literal">phone</code> does not begin

  77.     with 412 are wanted.  But if the user can create their own functions,

  78.     it is not difficult to convince the planner to execute the user-defined

  79.     function prior to the <code class="function">NOT LIKE</code> expression.

  80.     For example:

  81. </p><pre class="programlisting">

  82. CREATE FUNCTION tricky(text, text) RETURNS bool AS $$

  83. BEGIN

  84.     RAISE NOTICE '% =&gt; %', $1, $2;

  85.     RETURN true;

  86. END

  87. $$ LANGUAGE plpgsql COST 0.0000000000000000000001;

  88. 

  89. SELECT * FROM phone_number WHERE tricky(person, phone);

  90. </pre><p>

  91.     Every person and phone number in the <code class="literal">phone_data</code> table will be

  92.     printed as a <code class="literal">NOTICE</code>, because the planner will choose to

  93.     execute the inexpensive <code class="function">tricky</code> function before the

  94.     more expensive <code class="function">NOT LIKE</code>.  Even if the user is

  95.     prevented from defining new functions, built-in functions can be used in

  96.     similar attacks.  (For example, most casting functions include their

  97.     input values in the error messages they produce.)

  98. </p><p>

  99.     Similar considerations apply to update rules. In the examples of

  100.     the previous section, the owner of the tables in the example

  101.     database could grant the privileges <code class="literal">SELECT</code>,

  102.     <code class="literal">INSERT</code>, <code class="literal">UPDATE</code>, and <code class="literal">DELETE</code> on

  103.     the <code class="literal">shoelace</code> view to someone else, but only

  104.     <code class="literal">SELECT</code> on <code class="literal">shoelace_log</code>. The rule action to

  105.     write log entries will still be executed successfully, and that

  106.     other user could see the log entries.  But they could not create fake

  107.     entries, nor could they manipulate or remove existing ones.  In this

  108.     case, there is no possibility of subverting the rules by convincing

  109.     the planner to alter the order of operations, because the only rule

  110.     which references <code class="literal">shoelace_log</code> is an unqualified

  111.     <code class="literal">INSERT</code>.  This might not be true in more complex scenarios.

  112. </p><p>

  113.     When it is necessary for a view to provide row level security, the

  114.     <code class="literal">security_barrier</code> attribute should be applied to

  115.     the view.  This prevents maliciously-chosen functions and operators from

  116.     being passed values from rows until after the view has done its work.  For

  117.     example, if the view shown above had been created like this, it would

  118.     be secure:

  119. </p><pre class="programlisting">

  120. CREATE VIEW phone_number WITH (security_barrier) AS

  121.     SELECT person, phone FROM phone_data WHERE phone NOT LIKE '412%';

  122. </pre><p>

  123.     Views created with the <code class="literal">security_barrier</code> may perform

  124.     far worse than views created without this option.  In general, there is

  125.     no way to avoid this: the fastest possible plan must be rejected

  126.     if it may compromise security.  For this reason, this option is not

  127.     enabled by default.

  128. </p><p>

  129.     The query planner has more flexibility when dealing with functions that

  130.     have no side effects.  Such functions are referred to as <code class="literal">LEAKPROOF</code>, and

  131.     include many simple, commonly used operators, such as many equality

  132.     operators.  The query planner can safely allow such functions to be evaluated

  133.     at any point in the query execution process, since invoking them on rows

  134.     invisible to the user will not leak any information about the unseen rows.

  135.     Further, functions which do not take arguments or which are not passed any

  136.     arguments from the security barrier view do not have to be marked as

  137.     <code class="literal">LEAKPROOF</code> to be pushed down, as they never receive data

  138.     from the view.  In contrast, a function that might throw an error depending

  139.     on the values received as arguments (such as one that throws an error in the

  140.     event of overflow or division by zero) is not leak-proof, and could provide

  141.     significant information about the unseen rows if applied before the security

  142.     view's row filters.

  143. </p><p>

  144.     It is important to understand that even a view created with the

  145.     <code class="literal">security_barrier</code> option is intended to be secure only

  146.     in the limited sense that the contents of the invisible tuples will not be

  147.     passed to possibly-insecure functions.  The user may well have other means

  148.     of making inferences about the unseen data; for example, they can see the

  149.     query plan using <code class="command">EXPLAIN</code>, or measure the run time of

  150.     queries against the view.  A malicious attacker might be able to infer

  151.     something about the amount of unseen data, or even gain some information

  152.     about the data distribution or most common values (since these things may

  153.     affect the run time of the plan; or even, since they are also reflected in

  154.     the optimizer statistics, the choice of plan).  If these types of "covert

  155.     channel" attacks are of concern, it is probably unwise to grant any access

  156.     to the data at all.

  157. </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="rules-update.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="rules.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="rules-status.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">40.4. Rules on <code class="command">INSERT</code>, <code class="command">UPDATE</code>, and <code class="command">DELETE</code> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 40.6. Rules and Command Status</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1