| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Information of pg_stat_ssl visible to all users |
| Date: | 2015-07-07 16:06:23 |
| Message-ID: | CABUevEwFUMB4osti0Nu73Qc=Co_dXFWAcbZBLqMz4xZHPmyEuA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jul 7, 2015 at 6:03 PM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> On 7/2/15 3:29 PM, Magnus Hagander wrote:
> > On Thu, Jul 2, 2015 at 5:40 PM, Peter Eisentraut <peter_e(at)gmx(dot)net
> > <mailto:peter_e(at)gmx(dot)net>> wrote:
> >
> > On 6/10/15 2:17 AM, Magnus Hagander wrote:
> > > AIUI that one was just about the DN field, and not about the rest.
> If I
> > > understand you correctly, you are referring to the whole thing,
> not just
> > > one field?
> >
> > I think at least the DN field shouldn't be visible to unprivileged
> > users.
> >
> > What's the argument for that? I mean, the DN field is the equivalent of
> > the username, and we show the username in pg_stat_activity already. Are
> > you envisioning a scenario where there is actually something secret in
> > the DN?
>
> I think the DN is analogous to the remote user name, which we don't
> expose for any of the other authentication methods.
>
> > Actually, I think the whole view shouldn't be accessible to
> unprivileged
> > users, except maybe your own row.
> >
> >
> > I could go for some of the others if we think there's reason, but I
> > don't understand the dn part?
> >
> > I guess there's some consistency in actually blocking exactly
> everything...
>
> I think the default approach for security and authentication related
> information should be conservative, even if there is not a specific
> reason. Or to put it another way: What is the motivation for showing
> this information at all?
>
To make it accessible to monitoring systems that don't run as superuser
(which should be most monitoring systems, but we have other cases making
that hard as has already been mentioned upthread).
I'm having a hard time trying to figure out a consensus in this thread. I
think there are slightly more arguments for limiting the access though.
The question then is, if we want to hide everything, do we care about doing
the "NULL dance", or should we just throw an error for non-superusers
trying to access it?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2015-07-07 16:11:42 | Re: Information of pg_stat_ssl visible to all users |
| Previous Message | Peter Eisentraut | 2015-07-07 16:03:36 | Re: Information of pg_stat_ssl visible to all users |