| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | masao(dot)fujii(at)gmail(dot)com |
| Cc: | amitlangote09(at)gmail(dot)com, tsukiwamoon(dot)pgsql(at)gmail(dot)com, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Exposure related to GUC value of ssl_passphrase_command |
| Date: | 2020-02-13 02:28:05 |
| Message-ID: | 20200213.112805.691543608513803425.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At Thu, 13 Feb 2020 02:37:29 +0900, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote in
> On Fri, Nov 8, 2019 at 4:24 PM Amit Langote <amitlangote09(at)gmail(dot)com> wrote:
> >
> > Hello.
> >
> > On Tue, Nov 5, 2019 at 5:15 PM Moon, Insung <tsukiwamoon(dot)pgsql(at)gmail(dot)com> wrote:
> > > Deal Hackers.
> > >
> > > The value of ssl_passphrase_command is set so that an external command
> > > is called when the passphrase for decrypting an SSL file such as a
> > > private key is obtained.
> > > Therefore, easily set to work with echo "passphrase" or call to
> > > another get of passphrase application.
> > >
> > > I think that this GUC value doesn't contain very sensitive data,
> > > but just in case, it's dangerous to be visible to all users.
> > > I think do not possible these cases, but if a used echo external
> > > commands or another external command, know what application used to
> > > get the password, maybe we can't be convinced that there's the safety
> > > of using abuse by backtracking on applications.
> > > So I think to the need only superusers or users with the default role
> > > of pg_read_all_settings should see these values.
> > >
> > > Patch is very simple.
> > > How do you think about my thoughts like this?
> >
> > I'm hardly an expert on this topic, but reading this blog post about
> > ssl_passphrase_command:
> >
> > https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/
> >
> > which mentions that some users might go with the very naive
> > configuration such as:
> >
> > ssl_passphrase_command = 'echo "secret"'
> >
> > maybe it makes sense to protect its value from everyone but superusers.
> >
> > So +1.
>
> Seems this proposal is reasonable.
I think it is reasonable.
By the way, I'm not sure the criteria of setting a GUC variable as
GUC_SUPERUSER_ONLY, but for example, ssl_max/min_protocol_version,
dynamic_library_path, log_directory, krb_server_keyfile,
data_directory and config_file are GUC_SUPERUSER_ONLY. So, it seems to
me very strange that ssl_*_file are not. Don't we need to mark them
maybe and some of the other ssl_* as the same?
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2020-02-13 03:03:42 | Re: [HACKERS] Moving relation extension locks out of heavyweight lock manager |
| Previous Message | Thomas Munro | 2020-02-13 01:51:44 | Re: Getting rid of some more lseek() calls |