| From: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: postgres uptime |
| Date: | 2004-08-20 04:25:59 |
| Message-ID: | 20040820011847.M30511@ganymede.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 20 Aug 2004, Tom Lane wrote:
> "Marc G. Fournier" <scrappy(at)postgresql(dot)org> writes:
>> On Thu, 19 Aug 2004, Tom Lane wrote:
>>> I'd like to see more than one person requesting this (and with solider
>>> rationales) before it gets added to TODO. If I wanted to be picky I
>>> would suggest that knowledge of the server start time might be useful
>>> information to an attacker. It would for instance narrow down the
>>> number of possible starting seeds for the postmaster's random number
>>> generator.
>
>> Wouldn't an attacker have to have access to the server in the first place
>> to get that information?
>
> They'd only need SQL access to run the proposed uptime() function. The
> question is what they could parlay the information into --- perhaps the
> ability to break into a more-privileged database account, or maybe even
> the ability to break into other services on the same machine. It's not
> unreasonable to suppose that the postmaster start time tells you the
> most recent boot time of the server, and so you might be able to apply
> the same sort of I-know-the-random-seed attack to other daemons on the
> same machine.
>
> This is certainly all speculative. But I thought the rationale for
> clients wanting to know the postmaster start time in the first place
> was pretty dang thin. I am simply pointing out that this is not a
> zero-risk addition, and so we ought to ask just how much more than zero
> benefit it really has.
Good point(s) ... but, what would that give an attacker? Being able to
isolate the random seed, that is? For instance, if you are thinking of
shared memory allocations, unless we have a hole in the server itself that
we aren't aware of, the only way that does any good is if the attacker
does have access to the host machine itself to start with, and then he can
get that info simply using ps (or the uptime command) ...
Does anyone have any 'benefits' to implementing such a thing that we can
list? The cons appear to be easy, what about pros?
Note that I don't put my weight on my comment about 'bragging rights' as a
pro, since, again, that info is just as easy to get by the admin via ps
...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org Yahoo!: yscrappy ICQ: 7615664
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-08-20 04:27:04 | Re: tablespace and sequences? |
| Previous Message | Christopher Kings-Lynne | 2004-08-20 04:24:18 | Re: tablespace and sequences? |