Re: Information of pg_stat_ssl visible to all users

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Information of pg_stat_ssl visible to all users
Date: 2015-07-07 16:57:58
Message-ID: 26947.1436288278@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andres Freund <andres(at)anarazel(dot)de> writes:
> On 2015-07-07 12:03:36 -0400, Peter Eisentraut wrote:
>> I think the DN is analogous to the remote user name, which we don't
>> expose for any of the other authentication methods.

> Huh?

Peter's exactly right: there is no other case where you can tell what
some other connection's actual OS username is. You might *guess* that
it's the same as their database username, but you don't know that,
assuming you don't know how they authenticated.

I'm not sure how security-critical this info really is, though.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Fujii Masao 2015-07-07 16:58:26 Re: [PATCH] correct the initdb.log path for pg_regress
Previous Message Josh Berkus 2015-07-07 16:54:50 Re: 9.5 alpha: some small comments on BRIN and btree_gin