"Marc G. Fournier" <scrappy@postgresql.org> writes:
> On Thu, 19 Aug 2004, Tom Lane wrote:
>> I'd like to see more than one person requesting this (and with solider
>> rationales) before it gets added to TODO. If I wanted to be picky I
>> would suggest that knowledge of the server start time might be useful
>> information to an attacker. It would for instance narrow down the
>> number of possible starting seeds for the postmaster's random number
>> generator.
> Wouldn't an attacker have to have access to the server in the first place
> to get that information?
They'd only need SQL access to run the proposed uptime() function. The
question is what they could parlay the information into --- perhaps the
ability to break into a more-privileged database account, or maybe even
the ability to break into other services on the same machine. It's not
unreasonable to suppose that the postmaster start time tells you the
most recent boot time of the server, and so you might be able to apply
the same sort of I-know-the-random-seed attack to other daemons on the
same machine.
This is certainly all speculative. But I thought the rationale for
clients wanting to know the postmaster start time in the first place
was pretty dang thin. I am simply pointing out that this is not a
zero-risk addition, and so we ought to ask just how much more than zero
benefit it really has.
regards, tom lane
