Re: Foreign keys breaks tables permissions

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: Jan Wieck <wieck@debis.com>, PostgreSQL Development <pgsql-hackers@postgresql.org>, pgsql-sql@postgresql.org
Date: 2000-05-19T17:44:15Z
Lists: pgsql-bugs, pgsql-hackers
Peter Eisentraut <peter_e@gmx.net> writes:
>> 1. Why is RI_FKey_check() using SELECT FOR UPDATE and not plain SELECT?
>> 2. What permissions should SELECT FOR UPDATE require?

> UPDATE seems reasonable. SELECT is no good because it would give read-only
> users the locking power of users with write access.

>> If the existing code is correct on both these points, then I think the
>> answer is that there is no bug: updating a table that has a foreign
>> key reference will require update rights on the master as well.

> I don't think that's acceptable.

I don't like it either, but if an FK check must use SELECT FOR UPDATE
then anyone who can trigger an FK check has the ability to create a
write-class lock on the referenced table.  Wrapping the FK check
in a SETUID trigger doesn't change that fundamental fact; it'll just
mean that the user triggering the check is now able to create a lock
that he doesn't have the privileges to create directly.

This is perhaps the least undesirable of the choices we have, but it's
still a security hole.

			regards, tom lane