On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway <m...@joeconway.com> wrote:
> On 02/09/2016 11:47 AM, Robert Haas wrote:
>> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfr...@snowman.net> wrote:
>>>> Whereupon you'd have no certainty that what you got represented a
>>>> complete dump of your own data.
>>> It would be a dump of what you're allowed to see, rather than an error
>>> saying you couldn't dump something you couldn't see, which is the
>>> alternative we're talking about here.  Even if you've got a dependency
>>> to something-or-other, if you don't have access to it, then you're
>>> going to get an error.
>> I think you're dismissing Tom's concerns far too lightly.  The
>> row_security=off mode, which is the default, becomes unusable for
>> non-superusers under this proposal.  That's bad.  And if you switch to
>> the other mode, then you might accidentally fail to get all of the
>> data in some table you're trying to back up.  That's bad too: that's
>> why it isn't the default.  There's a big difference between saying
>> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
>> dumping all of the data in some table I *can* see".
> I don't grok what you're saying here. If I, as a non-superuser could
> somehow see all the rows in a table just by running pg_dump, including
> rows that I could not normally see due to RLS policies, *that* would be
> bad. I should have no expectation of being able to dump rows I can't
> normally see.

That's true.  But I should also have an expectation that running
pg_dump won't trigger arbitrary code execution, which is why by
default, pg_dump sets row_security to OFF.  That way, if a row
security policy applies, I get an error rather than an incomplete,
possibly-invalid dump (and arbitrary code execution on the server
side).  If I'm OK with doing the dump subject to row security, I can
rerun with --enable-row-security.  But this proposal would force
non-superusers to always use that option, and that's not a good idea.

Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to