On Fri, Aug 2, 2024 at 11:07 AM Tom Lane <t...@sss.pgh.pa.us> wrote: > Joe Conway <m...@joeconway.com> writes: > > <dons flameproof suit> > > Hmmm, and then have "leakproof_mode" = strict/lax/off where 'strict' is > > current behavior, 'lax' allows the 'maybe's to get pushed down, and > > 'off' ignores the leakproof attribute entirely and pushes down anything > > that merits being pushed? > > </dons flameproof suit> > > So in other words, we might as well just remove RLS.
<stage-whisper>Hey, everybody, I don't think Tom likes the proposal.</stage-whisper> I'll be honest: I don't like it, either. I don't even like proleakproof=true/false/maybe; I asked about that to understand if that was what Jacob was proposing, not because I actually think we should do it. The problem is that there's likely to be a fairly wide range contained inside of "maybe", with cases like "upper" at the safer end of the spectrum. That's too fuzzy to use as a basis for any sort of real security, IMHO; we won't be able to find two hackers who agree on how anything should be marked. I think part of our problem here is that we have very few examples of how to actually analyze a function for leakproof-ness, or how to exploit one that is erroneously so marked. The conversations then tend to degenerate into some people saying things are scary and some people saying the scariness is overrated and then the whole thing just becomes untethered from reality. Maybe we need to create some really robust documentation in this area so that we can move toward a common conceptual framework, instead of everybody just having a lot of opinions. I can't shake the feeling that if PostgreSQL got the same level of attention from security researchers that Linux or OpenSSL do, this would be a very different conversation. The fact that we have more people complaining about RLS causing poor query performance than we do about RLS leaking information is probably a sign that it's being used to provide more security theatre than actual security. Even the leaks we intended to have are pretty significant, and I'm sure that we have some we didn't intend. -- Robert Haas EDB: http://www.enterprisedb.com
