KaiGai Kohei wrote: > Tom Lane wrote: > > Josh Berkus <[EMAIL PROTECTED]> writes: > >> Multilevel frameworks have concepts of data hiding and data substitution > >> based on labels. That is, if a user doesn't have permissions on data, > >> he's not merely supposed to be denied access to it, he's not even supposed > >> to know that the data exists. In extreme cases (think military / CIA use) > >> data at a lower security level should be substitited for the higher > >> security level data which the user isn't allowed. Silently. > > > > Yeah, that's what I keep hearing that the spooks think they want. > > I can't imagine how it would play nice with SQL-standard integrity > > constraints. Data that apparently violates a foreign-key constraint, > > for example, would give someone a pretty good clue that there's > > something there he's not being allowed to see. > > Please note that SE-PostgreSQL does not adopt following technology > because of its complexity. When user tries to update a PK refered by > invisible FK, it generate an error. Thus, it is theoretically possible > to estimate the invisible PKs by attacks with repeating.
I assume if you use only non-natural keys (use sequence numbers, not codes like PHL or USA), there is no problem in finding the missing keys by repeated testing. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
