public inbox for [email protected]  
help / color / mirror / Atom feed
From: Bertrand Drouvot <[email protected]>
To: Jeff Davis <[email protected]>
Cc: Heikki Linnakangas <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Roman Eskin <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Alexander Lakhin <[email protected]>
Cc: [email protected]
Cc: Tom Lane <[email protected]>
Subject: Re: Avoid orphaned objects dependencies, take 3
Date: Wed, 17 Jun 2026 05:44:47 +0000
Message-ID: <ajI0Tz9dIJvLGHNY@bdtpg> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<aiLKkTC6QBt8i35P@bdtpg>
	<[email protected]>
	<aie26jMSoEMrHLaI@bdtpg>
	<[email protected]>
	<ailZCCmS0bGlNBfe@bdtpg>
	<ail/6I6mcitovsUo@bdtpg>
	<[email protected]>
	<ajEg7PrJYWnmB6zk@bdtpg>
	<[email protected]>

Hi,

On Tue, Jun 16, 2026 at 12:14:12PM -0700, Jeff Davis wrote:
> On Tue, 2026-06-16 at 10:09 +0000, Bertrand Drouvot wrote:
> > 0002: fixes it by moving aclcheck_track_record() to after the
> > permission check
> > succeeds in object_aclcheck_ext() and pg_class_aclcheck_ext().
> > Indeed, there is
> > no need to track failed permission checks.
> 
> IIUC, this is necessary for correctness. If an ACL failure doesn't
> cause a transaction abort, then there's a danger that we cause the
> transaction to fail that should have succeeded.

Exactly, because we'd recheck an "harmless" failed ACL check and then produce
an error.

> So the ACL tracking needs to be precise: we can't track an ACL check
> unless a failure always causes transaction abort; and we must track an
> ACL check if it would cause a transaction abort. Right?

I would say: we just need to track (and recheck) ACL checks that succeeded.

I think that there is no reason to recheck (and so to record) a failed ACL as what
we are dealing with here is the TOCTOU window. Re-checking a failed ACL check would
handle cases when a GRANT has been given during the TOCTOU window which is not
useful (for our protection goal) compared to re-checking a REVOKE during the
TOCTOU window (as the latter would record a dependency on an object we don't have
permission on).

Doing so, as proposed in 0002, allows us to fix the "re-check a harmless failed
ACL bug" (demonstrated by the added test) and still protect us for REVOKE during
the TOCTOU window.

Thoughts?

Regards,

-- 
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com






view thread (50+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Avoid orphaned objects dependencies, take 3
  In-Reply-To: <ajI0Tz9dIJvLGHNY@bdtpg>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox