Home > mailing lists

Information of pg_stat_ssl visible to all users - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Information of pg_stat_ssl visible to all users
Date	June 9, 2015 07:00:21
Msg-id	CAB7nPqReR+MUupGA5wd9tywdhhgHkREnY9OEJemMxkd2zzrvQw@mail.gmail.com Whole thread Raw
Responses	Re: Information of pg_stat_ssl visible to all users (Magnus Hagander <magnus@hagander.net>)
List	pgsql-hackers

Tree view

Hi all,

I should have noticed that before, but it happens that pg_stat_ssl
leaks information about the SSL status of all the users connected to a
server. Let's imagine for example:
1) Session 1 connected through SSL with a superuser:
=# create role toto login;
CREATE ROLE
=# select * from pg_stat_ssl;
  pid  | ssl | version |           cipher            | bits |
compression | clientdn
-------+-----+---------+-----------------------------+------+-------------+----------
 33348 | t   | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 |  256 | t           |
(1 row)
2) New session 2 with previously created user:
=> select * from pg_stat_ssl;
  pid  | ssl | version |           cipher            | bits |
compression | clientdn
-------+-----+---------+-----------------------------+------+-------------+----------
 33348 | t   | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 |  256 | t           |
 33367 | t   | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 |  256 | t           |
(2 rows)

Attached is a patch to mask those values to users that should not have
access to it, similarly to the other fields of pg_stat_activity.
Regards,
--
Michael

Attachment

20150609_pgstat_ssl_leakfix.patch

pgsql-hackers by date:

From: David Rowley
Date: 09 June 2015, 06:55:23
Subject: Aggregate Supporting Functions

From: Amit Kapila
Date: 09 June 2015, 07:04:30
Subject: Re: Re: [COMMITTERS] pgsql: Map basebackup tablespaces using a tablespace_map file

Information of pg_stat_ssl visible to all users - Mailing list pgsql-hackers

Attachment

Previous

Next