Tom Lane wrote:
> Hannu Krosing <[EMAIL PROTECTED]> writes:
> > It seems to be a broken view not security risk in 7.2.1
> 
> The implementation of temp tables has changed completely in CVS tip,
> so experiments with 7.2 aren't very relevant.  In CVS tip I believe
> you *could* read the contents of someone else's temp table, assuming
> you had permissions to read the view.  However, you'd not be guaranteed
> to get up-to-date information, since the guy who actually owns the temp
> table would be using his local-buffer manager for access to it; there
> might be many pages that you'd see stale information from because the
> only up-to-date copy is in local memory of the owning backend.
> 
> I see some potential for confusion here, but not really any
> crash-the-database scenarios.  I also do not see a security risk:
> you did grant the other guy read permission on your view, after all.

Does every other user see the view name on his temp table?  Can two
people create a view on a temp table at the same time?  It seems not:
        
        test=> create temp table x1(x int);
        CREATE TABLE
        test=> create view x2 as select * from x1;
        ERROR:  Relation 'x2' already exist

Seems this should work.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Reply via email to