|PostgreSQL Reference Manual - Volume 2 - Programming Guide|
by The PostgreSQL Global Development Group
Paperback (6"x9"), 408 pages
RRP £19.95 ($34.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
7.4 Rules and Privileges
Due to rewriting of queries by the PostgreSQL rule system, other tables/views than those used in the original query get accessed. When update rules are used, this can include write access to tables.
Rewrite rules don't have a separate owner. The owner of a relation (table or view) is automatically the owner of the rewrite rules that are defined for it. The PostgreSQL rule system changes the behavior of the default access control system. Relations that are used due to rules get checked against the privileges of the rule owner, not the user invoking the rule. This means that a user only needs the required privileges for the tables/views that he names explicitly in his queries.
For example: A user has a list of phone numbers where some of them are private, the others are of interest for the secretary of the office. He can construct the following:
CREATE TABLE phone_data (person text, phone text, private boolean); CREATE VIEW phone_number AS SELECT person, phone FROM phone_data WHERE NOT private; GRANT SELECT ON phone_number TO secretary;
Nobody except him (and the database superusers) can access the
phone_data table. But because of the
the secretary can run a
SELECT on the
phone_number view. The rule system will rewrite the
phone_number into a
phone_data and add the
qualification that only entries where
private is false
are wanted. Since the user is the owner of
phone_number and therefore the owner of the rule, the
read access to
phone_data is now checked against his
privileges and the query is permitted. The check for accessing
phone_number is also performed, but this is done
against the invoking user, so nobody but the user and the
secretary can use it.
The privileges are checked rule by rule. So the secretary is for now the
only one who can see the public phone numbers. But the secretary can setup
another view and grant access to that to the public. Then, anyone
can see the
phone_number data through the secretary's view.
What the secretary cannot do is to create a view that directly
phone_data. (Actually he can, but it will not work since
every access will be denied during the permission checks.)
And as soon as the user will notice, that the secretary opened
phone_number view, he can revoke his access. Immediately, any
access to the secretary's view would fail.
One might think that this rule-by-rule checking is a security
hole, but in fact it isn't. But if it did not work this way, the secretary
could set up a table with the same columns as
copy the data to there once per day. Then it's his own data and
he can grant access to everyone he wants. A
GRANT command means, “I trust you”.
If someone you trust does the thing above, it's time to
think it over and then use
This mechanism also works for update rules. In the examples of
the previous section, the owner of the tables in the example
database could grant the privileges
shoelace view to someone else, but only
shoelace_log. The rule action to
write log entries will still be executed successfully, and that
other user could see the log entries. But he cannot create fake
entries, nor could he manipulate or remove existing ones.
|ISBN 0954612035||PostgreSQL Reference Manual - Volume 2 - Programming Guide||See the print edition|