Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w55WX-002sjW-1V for pgsql-hackers@arkaria.postgresql.org; Tue, 24 Mar 2026 17:26:37 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w55WV-0089Tm-1p for pgsql-hackers@arkaria.postgresql.org; Tue, 24 Mar 2026 17:26:35 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <3danissimo@gmail.com>) id 1w55WV-0089T1-0j for pgsql-hackers@lists.postgresql.org; Tue, 24 Mar 2026 17:26:35 +0000 Received: from mail-yx1-xb135.google.com ([2607:f8b0:4864:20::b135]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from <3danissimo@gmail.com>) id 1w55WP-00000000uim-2Vig for pgsql-hackers@postgresql.org; Tue, 24 Mar 2026 17:26:35 +0000 Received: by mail-yx1-xb135.google.com with SMTP id 956f58d0204a3-64acd19e1dfso4687891d50.0 for ; Tue, 24 Mar 2026 10:26:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774373186; cv=none; d=google.com; s=arc-20240605; b=Cg+RahACl6Tblxoe4XPMivIdNBJfJ+7EMitt24d4Fiu2M0b3EMo2jDNAK2HbJREKzn 09T0q0U7RQLrq6HM82LKHWTff2b3b7c0aBT5LHbMX4MPiS6UvY+JcgjDc2cO59YVrx4X XqZXzuqElbtq6GKmogFHnfYgNnaUrHHd3DPcYQeoCgK1x+ceOXB4Kpg7B249eUXOOtdA 89oFt6Ys3NAXym0Djw0R0ZFHvP9eXAQI2nLzEdupn7mfxAyi3AO7v/TOJiMNel1GNq2s 8soYd9mBaeiQ03e8gj44alF7kW26+HIrT6tUrPj4NshzBeIxNKyJINsFyxonsoQmk7Ty ND0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=RBUmVPuuPuGBsEEcFrrg8Ajq+IMJ0A6MndwDxpdOtoQ=; fh=EHUxSZquFGCnkDuprj0p1CPEforghmRDEGcLrq/8Vso=; b=J6ch0vdAlrOVXZ68cGmTqH9UIAIvw2JoychNuH5zJLyETiAmhDGRJN0PqEs0BGpfaq ww0FhTk/JmWx92EO8jAP2g18RWpQNMzAlu5jlNqxiuzOlxTWzkATJ3MO/MDrLynuOpKp Efq7tvsNedOlXUP3Obo9wVI0CGm2A+6Qbad5x9tfNu5kFq8WPTn8zhYa6ydO0IAg0GWk CCfiibfN8EctOIvS4edPli7lOIjs8vWzaSZMVqkB0U4SdUWSQN1MZ3/WhYQqsjVSlqf0 7A40vki19WHBjaugPfVeoyQo1rxGdCoa1qefjkvTD8CHBAZrfFX4i/ZNVfUb+Pm56TSk XDbw==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774373186; x=1774977986; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=RBUmVPuuPuGBsEEcFrrg8Ajq+IMJ0A6MndwDxpdOtoQ=; b=I7kjMNfcEXNfYl5EBMV++LTAJwZMExutnEqPaL/iz0uYvJmD0cGRk9k/Fm+6v4NGss XtY0X9uTknUqLnMw/U23Nk0YXjPEZfuXqCgYDS4umomJ6tws0fVqatyacnejG6CzqsU2 uhwgGfbgqLwRnDy1pUAE5/mpmPMmEKvfl9nXG4rRgvqss3WlVflZTVfJqbvKq8RCmUNV 8EwpGXPy32EqEBgZnHZbUuFGHc6nAj842fo5dBSI0ALFNQ3STqCYPNfdo4TFtI18PTku sqTSxgz0/G9S0uIK2fS3D9AdPRi1N76+n4ZlNSEz9hfqfI4fIRBBQIHpsPrVSnz8ugRW FF1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774373186; x=1774977986; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RBUmVPuuPuGBsEEcFrrg8Ajq+IMJ0A6MndwDxpdOtoQ=; b=JAgn4GPq2H/xOnYlTM3/8HSLB3ay5awoQxFcs9CDXDIq2yw0TKsxJzSfDhm8zXH7Sy B7t9jH3KSzhqG6nA/dimEvGB6lk9LiNaDnY77lSH3qUViWu0V+cWa6KQfxbKc9l6jkQd 4wYlmjw6t2Vdffvk1P8jA1pky4xyBeM6QL48a/dd2o7QXClZvu9vkoqpQ55qCPVfYb0Q oX8EowLuPe9xn4A4LvxPm3AQVJ+Moh693spQJokh4rQISB7nvEKx/Tk4CeuCQBJZFHtX DwXTxEMPoRTunYEdJztBckKIM5iToTENlIiwupAfyUXFt7A4w9ynI1pFl7zEYujSY8Sx bxhQ== X-Forwarded-Encrypted: i=1; AJvYcCX2GagsAWrZIHciUs6O5H/InWKaGQhIZcNl5fMUvAqDfzJdJ1CCorJEQwboeZ7iYBuRzqyp6K2BG/4on0Hm@postgresql.org X-Gm-Message-State: AOJu0YyOdlTPuL5RJl1dG7lf+8DxKSvtpABQpA5pXunHdpJugiJaRGsO mmMauijuePYKCym1JTKss1nl2/m3Hk9iPn+BjpLR0po/RknlteVlWP4AlL6tguJKceX+TetC1M4 qX0Gty965NS0Eel0wslj6p+Ni50MGUOQ= X-Gm-Gg: ATEYQzwDHjU97/mA469eR5QmK+lIcXR2TxlA+qMYqpW+nmkXc0QHDyiN8BTCrkeaAQL McBB+pc9exELODtsDRyaSpVa1Xd1jWE0bWl4kwJxsVVf9aq+4HsnI0CH4odYoKaIQyBnlmVLQmi 8JQUvU5/naMaap/eDw7NFpznMm7gPo1IsflAZ9gLerGq3zc3kxyfP8onYsOJySX8fqTetKZkAZ2 /vcD3FsYXq0zCK1wkxvEVxSxiS5D4NAMmiSk2S9bvvHmnK1QpDPDlDWIy3rLmu78xHelBjMl+5+ cIgB1uuq X-Received: by 2002:a53:d005:0:b0:64e:da69:f2cd with SMTP id 956f58d0204a3-64ee60ae6abmr341867d50.30.1774373185545; Tue, 24 Mar 2026 10:26:25 -0700 (PDT) MIME-Version: 1.0 References: <2f3fa419-9000-4e2a-b070-6e35d5de0e4c@uni-muenster.de> <751a6cb8-cac8-46c4-8c64-9e23f663e926@uni-muenster.de> <1a32fc83-df78-4774-97dc-2bb06dbb16e9@uni-muenster.de> <3529398.1774273446@sss.pgh.pa.us> In-Reply-To: <3529398.1774273446@sss.pgh.pa.us> From: Daniil Davydov <3danissimo@gmail.com> Date: Wed, 25 Mar 2026 00:26:13 +0700 X-Gm-Features: AQROBzAhTlrf7TmtjmkTT-lgVhGnPkiv6_AoyweJe1kHUfgY84ejf6y11Dlk9_c Message-ID: Subject: Re: Fix bug with accessing to temporary tables of other sessions To: Tom Lane Cc: Jim Jones , Soumya S Murali , Stepan Neretin , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On Mon, Mar 23, 2026 at 8:31=E2=80=AFPM Jim Jones wrote: > > This is a step forward in really isolating contents of temp tables from > other sessions, but the more I think about it, the more I'm concerned > with the current approach -- I spent some time investigating this > problem a bit deeper last week. > > My main concern is the usage of gram.y, as a parser is arguably fragile > for this kind of things. I don't actually want to use gram.y as a main solver of this issue. But gram.y is setting the "relpersistence" field for the RangeVar and all subsequent code is treating this value as truthful. In particular, v12 patc= h is relying on this field in RangeVar during the resolution of access issues= , and IMHO it's not out of line with the current code base. For instance, we = are considering RangeVar to determine whether we can perform a CREATE operation within the specified namespace (see RangeVarAdjustRelationPersistence). Even if we decide not to touch the gram.y in this patch, I still think that leaving the "relpesistence" field misleading may lead to more bugs appearin= g in the future. I.e. it should be fixed anyway (maybe in another thread?). > For instance, one can always change the > search_path and bypass this restriction: > > (table t was created in a different session) > > postgres=3D# SELECT * FROM pg_temp_81.t; > ERROR: cannot access temporary relations of other sessions > LINE 1: SELECT * FROM pg_temp_81.t; > ^ > postgres=3D# SET search_path =3D pg_temp_81, public; > SET > postgres=3D# SELECT * FROM t; > ?column? > ---------- > (0 rows) > > * See: if (relation->relpersistence =3D=3D RELPERSISTENCE_TEMP) in > namespace.c for more details. Yeah, you are right. It turns out that the current patch doesn't fully protect other temp tables from superuser. The first thought that comes to m= e is to forbid setting other-temp-namespaces in a search_path parameter. I kn= ow it's starting to look ugly. But actually, such a restriction seems quite logical. > > IMO, since it is an access control issue, I guess we better treat it as > such and modify aclchk.c instead. > > Something like this the file attached. This breaks an unrelated test, > which is potentially a bug in REPACK ... but I'll describe it in another > thread. > > Thoughts? Thank you for the patch! It seems much more beautiful and convenient to maintain, but I have a little concern about it. Actually, in your implementation we can DROP other temp tables not because = we make an exception to the general rule ("don't touch other temp tables"), bu= t because we just can perform such operations with every object in pg_temp_0. If other operations with the same access checking as DROP command appear in the future, the user will be able to perform these operations for other-temp-tables. I.e. we will need to manually prevent such new operation= s from accessing other-temp-tables. Have I gone too far in my reasoning? BTW, your implementation allows calling a VACUUM for other-temp-tables. I t= hink that we should forbid that too. On Mon, Mar 23, 2026 at 8:44=E2=80=AFPM Tom Lane wrote: > > Jim Jones writes: > > This is a step forward in really isolating contents of temp tables from > > other sessions, but the more I think about it, the more I'm concerned > > with the current approach -- I spent some time investigating this > > problem a bit deeper last week. > > Yeah. I think this entire approach is wrongheaded: we do not enforce > permissions checks against superusers. Moreover, if we try to fix it > at the permissions level, it seems nearly certain that there will be > bypass paths, simply because superusers bypass so many other checks. > Actually, v12 patch is not about a superuser rights restriction, but about forbidding such operations for everyone. Anyway, we have a new perl test th= at will prevent adding a code that will allow superuser to (somehow) break the protection of both mine and Jim's patches. Isn't that a sufficient guarante= e that superuser will not bypass checks that it must not bypass? > The actual problem is that the buffer manager is incapable of dealing > with other sessions' temp tables, and we need to un-break the buffer > manager's defense for that implementation restriction. So I feel the > correct approach is something similar to what I described here: > > https://www.postgresql.org/message-id/flat/2736425.1758475979%40sss.pgh.p= a.us > > I'm not wedded to that specific patch, but that is the implementation > level where the fix is needed. > Handling access to other-temp-tables on the buffer manager level seems to m= e like fighting the symptom, not the cause. Protection of other-temp-tables i= s kinda "upper-level logical restriction". At the same time, buffer manager i= s a lower-level implementation which shouldn't face such upper-level issues. Am I missing something? -- Best regards, Daniil Davydov