Re: Multivariate MCV stats can leak data to unprivileged users

Dean Rasheed <dean.a.rasheed@gmail.com>

From: Dean Rasheed <dean.a.rasheed@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andres Freund <andres@anarazel.de>, Tomas Vondra <tomas.vondra@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2019-05-18T15:43:29Z
Lists: pgsql-hackers
On Sat, 18 May 2019 at 16:13, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Dean Rasheed <dean.a.rasheed@gmail.com> writes:
> > On the other hand, pg_dump relies on pg_statistic_ext to work out
> > which extended statistics objects to dump. If we were to change that
> > to use pg_stats_ext, then a user dumping a table with RLS using the
> > --enable-row-security flag wouldn't get any extended statistics
> > objects, which would be a somewhat surprising result.
>
> It seems like what we need here is to have a separation between the
> *definition* of a stats object (which is what pg_dump needs access
> to) and the current actual *data* in it.  I'd have expected that
> keeping those in separate catalogs would be the thing to do, though
> perhaps it's too late for that.
>

Yeah, with the benefit of hindsight, that would have made sense, but
that seems like a pretty big change to be attempting at this stage.

Regards,
Dean



Commits

  1. Add security checks to the multivariate MCV estimation code.

  2. Add pg_stats_ext view for extended statistics

  3. Rework the pg_statistic_ext catalog