Re: Information of pg_stat_ssl visible to all users

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andres Freund <andres(at)anarazel(dot)de>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Information of pg_stat_ssl visible to all users
Date: 2015-08-31 13:06:27
Message-ID: 20150831130626.GM3685@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Sat, Aug 29, 2015 at 10:27 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > I can see them having problems with a user being able to see the SSL
> > remote user names of all connected users.
>
> I'm pretty sure Heroku don't use client certificates.
>
> And if they did, I would assume the client certificate would be issued to
> aafgrwewediiqz, or possibly aafgrwewediiqz(at)customer(dot)heroku(dot)com or
> something along that line.
>
> Client certificates don't show anything other than the username, unless you
> explicitly choose to put sensitive information in the CN. But we don't
> limit the view of the username in pg_stat_activity, even though people do
> put sensitive things in there (such as the customer name in case of shared
> hosting - everybody doesn't do what Heroku does).
>
> So pg_stat_ssl doesn't show something that's not already visible.

I don't particularly disagree with any of the above but would instead
reiterate my up-thread comment: we already get grief from various
people, rightly in my mind, that we give unprivileged users too much
information about what other unprivileged users are on the system and
adding more information is going in the wrong direction, even if it's of
the same sensitivity level as what we already allow.

Perhaps it really isn't moving the bar all that much but at least for a
number of our users, it's increasing what they have to be worrying about
("well, we knew usernames were an issue, but now we also have to worry
about system usersnames and the CN in the certificate and...").

The answer, in my view at least, isn't necessairly to seperate the CN
from the username and make them differently levels of access or
sensitivity, but rather to allow administrators to control access to
that collective set of information.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2015-08-31 13:13:12 Re: Information of pg_stat_ssl visible to all users
Previous Message Andres Freund 2015-08-31 12:31:16 Re: Information of pg_stat_ssl visible to all users