Re: Multivariate MCV stats can leak data to unprivileged users

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Dean Rasheed <dean.a.rasheed@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, Tomas Vondra <tomas.vondra@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2019-05-18T15:13:08Z
Lists: pgsql-hackers
Dean Rasheed <dean.a.rasheed@gmail.com> writes:
> On the other hand, pg_dump relies on pg_statistic_ext to work out
> which extended statistics objects to dump. If we were to change that
> to use pg_stats_ext, then a user dumping a table with RLS using the
> --enable-row-security flag wouldn't get any extended statistics
> objects, which would be a somewhat surprising result.

It seems like what we need here is to have a separation between the
*definition* of a stats object (which is what pg_dump needs access
to) and the current actual *data* in it.  I'd have expected that
keeping those in separate catalogs would be the thing to do, though
perhaps it's too late for that.

			regards, tom lane



Commits

  1. Add security checks to the multivariate MCV estimation code.

  2. Add pg_stats_ext view for extended statistics

  3. Rework the pg_statistic_ext catalog