Tom Lane wrote: > "Robert Haas" <[EMAIL PROTECTED]> writes: > > I think you have to resign yourself to the fact that a user who can > > see only a subset of the rows in a table may very well see apparent > > foreign-key violations. But so what? > > So you're leaking information about the rows that they're not supposed > to be able to see. This is not what I would call national-security-grade > information hiding --- leastwise *I* certainly wouldn't store nuclear > weapon design information in such a database. The people that the NSA > wants to defend against are more than smart enough, and persistent > enough, to extract information through such loopholes. > > I can't escape the lurking suspicion that some bright folk inside the > NSA have spent years thinking about this and have come up with some > reasonably self-consistent definition of row hiding in a SQL database. > But have they published it where we can find it?
I am confused how knowing that a sequence number used for a primary key exists or doesn't exist is leaking _meaningful_ information. People might know the sequence number exists, but how is that information useful. Now, if natural keys are used, that is a different story. I am, of course, supportive of digging deeper to find the best possible behavior. I am also supportive of making row-level security an SQL-level feature that can be used beyond SE-Linux, and will allow the feature to be tested on all platforms. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
