Re: Clarification on Role Access Rights to Table Indexes
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Nathan Bossart <nathandbossart@gmail.com>,
Ayush Vatsa <ayushvatsa1810@gmail.com>,
Robert Haas <robertmhaas@gmail.com>,
"David G. Johnston" <david.g.johnston@gmail.com>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-10-14T16:30:26Z
Lists: pgsql-hackers, pgsql-general
Jeff Davis <pgsql@j-davis.com> writes: > On Mon, 2025-10-13 at 17:21 -0400, Tom Lane wrote: >> I don't think so. Even AccessShareLock is enough to block another >> session trying to acquire AccessExclusiveLock, and then not only >> have you DoS'd that session, but everything else trying to access >> the table will queue up behind the AccessExclusiveLock request. >> So it's only not-a-problem if nothing anywhere in the system wants >> non-sharable locks. > I tried imagining how that could be a problem, but couldn't come up > with anything. If the privilege check is right after the lock, then > either: > (a) The malicious AccessShareLock is granted, then is quickly released > when the privilege check fails and the transaction aborts; or > (b) The malicious AccessShareLock is queued behind a legitimate > AccessExclusiveLock, in which case every other lock would be queued up > as well. As soon as the AccessExclusiveLock is released, the > AccessShareLock would be granted, but quickly released when the > privilege check fails. > For it to be a problem, the malicious lock needs to be strong enough to > conflict with a lock level weaker than itself, i.e. ShareLock or > stronger. Robert might remember better, but I think the assumption behind the current design of RangeVarGetRelidExtended is that it's not okay to take a lock in the first place if you don't have the privilege to do so. Your analysis here supposes that it's okay to take a lock without privileges so long as you can't block someone else for very long, where "very long" is not tightly defined but hopefully isn't controllable by the malicious user. So that's moving the goalposts somewhat, but you might get people to sign onto it with more careful analysis of the worst-case delay. (The thing I'd worry about is whether it's possible to block execution of the privilege check, or even just make it slow.) Given that definition, I think you're right that it's possible to identify cases where lock-then-check can't cause meaningful DoS. RangeVarGetRelidExtended has to cope with the general case, so that's not an argument for simplifying it, but we might not need equivalent complexity everywhere. regards, tom lane
Commits
-
Fix privilege checks for pg_prewarm() on indexes.
- fae0ce5e318e 16.11 landed
- f146eb45cb1a 14.20 landed
- a0551bc5734b 17.7 landed
- 6c03ae8d6e81 15.15 landed
- 3ccf8e9ac96e 18.1 landed
- 208927e65692 19 (unreleased) landed
- 19a64f5676bb 13.23 landed
-
Fix lookup code for REINDEX INDEX.
- 079480dc2022 19 (unreleased) landed
-
Fix redefinition of typedef RangeVar.
- 15d7dded0e93 18.1 landed
-
Fix lookups in pg_{clear,restore}_{attribute,relation}_stats().
- c8af5019bee5 18.1 landed
- 688dc6299a5b 19 (unreleased) landed
-
dblink: Avoid locking relation before privilege check.
- c9b299f6df98 19 (unreleased) landed