public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bertrand Drouvot <[email protected]>
To: Jeff Davis <[email protected]>
Cc: Heikki Linnakangas <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Roman Eskin <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Alexander Lakhin <[email protected]>
Cc: [email protected]
Cc: Tom Lane <[email protected]>
Subject: Re: Avoid orphaned objects dependencies, take 3
Date: Wed, 17 Jun 2026 05:44:47 +0000
Message-ID: <ajI0Tz9dIJvLGHNY@bdtpg> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<aiLKkTC6QBt8i35P@bdtpg>
<[email protected]>
<aie26jMSoEMrHLaI@bdtpg>
<[email protected]>
<ailZCCmS0bGlNBfe@bdtpg>
<ail/6I6mcitovsUo@bdtpg>
<[email protected]>
<ajEg7PrJYWnmB6zk@bdtpg>
<[email protected]>
Hi,
On Tue, Jun 16, 2026 at 12:14:12PM -0700, Jeff Davis wrote:
> On Tue, 2026-06-16 at 10:09 +0000, Bertrand Drouvot wrote:
> > 0002: fixes it by moving aclcheck_track_record() to after the
> > permission check
> > succeeds in object_aclcheck_ext() and pg_class_aclcheck_ext().
> > Indeed, there is
> > no need to track failed permission checks.
>
> IIUC, this is necessary for correctness. If an ACL failure doesn't
> cause a transaction abort, then there's a danger that we cause the
> transaction to fail that should have succeeded.
Exactly, because we'd recheck an "harmless" failed ACL check and then produce
an error.
> So the ACL tracking needs to be precise: we can't track an ACL check
> unless a failure always causes transaction abort; and we must track an
> ACL check if it would cause a transaction abort. Right?
I would say: we just need to track (and recheck) ACL checks that succeeded.
I think that there is no reason to recheck (and so to record) a failed ACL as what
we are dealing with here is the TOCTOU window. Re-checking a failed ACL check would
handle cases when a GRANT has been given during the TOCTOU window which is not
useful (for our protection goal) compared to re-checking a REVOKE during the
TOCTOU window (as the latter would record a dependency on an object we don't have
permission on).
Doing so, as proposed in 0002, allows us to fix the "re-check a harmless failed
ACL bug" (demonstrated by the added test) and still protect us for REVOKE during
the TOCTOU window.
Thoughts?
Regards,
--
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
view thread (50+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Avoid orphaned objects dependencies, take 3
In-Reply-To: <ajI0Tz9dIJvLGHNY@bdtpg>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox