| From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, Harold Giménez <harold(at)heroku(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: proposal: hide application_name from other users |
| Date: | 2014-01-21 08:31:20 |
| Message-ID: | 52DE3058.5030408@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 01/21/2014 04:19 PM, Heikki Linnakangas wrote:
> On 01/21/2014 07:22 AM, Harold Giménez wrote:
>> First of all, I apologize for submitting a patch and missing the
>> commitfest
>> deadline. Given the size of the patch, I thought I'd submit it for your
>> consideration regardless.
>>
>> This patch prevents non-superusers from viewing other user's
>> pg_stat_activity.application_name. This topic was discussed some time
>> ago
>> [1] and consequently application_name was made world readable [2].
>>
>> I would like to propose that we hide it instead by reverting to the
>> original behavior. There is a very large number of databases on the same
>> cluster shared across different users who can easily view each other's
>> application_name values. Along with that, there are some libraries that
>> default application_name to the name of the running process [3], which
>> can
>> leak information about what web servers applications are running, queue
>> systems, etc. Furthermore leaking application names in a multi-tenant
>> environment is more information than an attacker should have access to on
>> services like Heroku and other similar providers.
>
> I don't find these arguments compelling to change it now. It's
> well-documented that application_name is visible to everyone. Just don't
> put sensitive information there.
>
> For those users that don't mind advertising application_name, the patch
> would be highly inconvenient. For example, the database owner could no
> longer see the application_name of other users connected to her database.
It also means that monitoring tools must run as superuser to see
information they require, which to me is a total showstopper.
If you want control over visibility of application_name, it should be
done with a column privilige granted to a system role, or something like
that - so the ability to see it can be given to "public" on default
(thus not breaking BC) and if it's revoked from "public", given to roles
that need to see it.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2014-01-21 09:18:50 | Re: WIP patch (v2) for updatable security barrier views |
| Previous Message | Kyotaro HORIGUCHI | 2014-01-21 08:30:16 | Re: Funny representation in pg_stat_statements.query. |