(2014/01/28 10:23), Tom Lane wrote:
> Peter Geoghegan <pg@heroku.com> writes:
>> On Mon, Jan 27, 2014 at 5:12 PM, KONDO Mitsumasa
>> <kondo.mitsumasa@lab.ntt.co.jp> wrote:
>>> This patch has security problem that root can easily see the statement file
>>> in database cluster.
>
>> By default, we always serialize statements along with their query
>> texts to disk on shutdown. Until May of 2012, pg_stat_statements
>> didn't bother unlinking on startup, and so the file with query texts
>> was always on the PGDATA filesystem. What's the difference?
>
> Root can certainly also look at query texts in shared memory, or for that
> matter in the local memory of any process. So can anybody else running as
> the postgres userid.
This assumption is too hacker...
> Also, current query texts are probably less interesting to an intruder
> than the contents of the database itself, which is stored in the same
> directory tree with the same permissions (0600) as the query-text file.
Yes, that's right. However, table name or function name might be include sequrity
information. When we consult my client which needs high sequrity, they replace
function name or table name to other by using regular expression.
I still think this feature may cause sequrity problem, and we need to discuss
about it, or add document in detail.
Regards,
--
Mitsumasa KONDO
NTT Open Source Software Center
