Re: Information of pg_stat_ssl visible to all users - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: Information of pg_stat_ssl visible to all users |
| Date | |
| Msg-id | CABUevEx-dpGKz-bv2k-=bkinMYPVQr1O2mEWPNNKRGJrdwFNKQ@mail.gmail.com Whole thread Raw |
| In response to | Re: Information of pg_stat_ssl visible to all users (Michael Paquier <michael.paquier@gmail.com>) |
| Responses |
Re: Information of pg_stat_ssl visible to all users
(Peter Eisentraut <peter_e@gmx.net>)
|
| List | pgsql-hackers |
On Tue, Jun 9, 2015 at 10:55 PM, Michael Paquier <michael.paquier@gmail.com> wrote:
Looking back at this thread, it is mentioned here:On Tue, Jun 9, 2015 at 3:27 PM, Magnus Hagander <magnus@hagander.net> wrote:
>
> On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael.paquier@gmail.com> wrote:
>>
>> Hi all,
>>
>> I should have noticed that before, but it happens that pg_stat_ssl
>> leaks information about the SSL status of all the users connected to a
>> server. Let's imagine for example:
>> 1) Session 1 connected through SSL with a superuser:
>> =# create role toto login;
>> CREATE ROLE
>> =# select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (1 row)
>> 2) New session 2 with previously created user:
>> => select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (2 rows)
>>
>> Attached is a patch to mask those values to users that should not have
>> access to it, similarly to the other fields of pg_stat_activity.
>
> I don't have the thread around right now (on phone), but didn't we discuss
> this back around the original submission and decide that this was wanted
> behavior?
http://www.postgresql.org/message-id/31891.1405175764@sss.pgh.pa.us
AIUI that one was just about the DN field, and not about the rest. If I understand you correctly, you are referring to the whole thing, not just one field?
> What actual sensitive data is leaked? If knowing the cipher type makes it
> easier to hack you have a broken cipher, don't you?
I am just wondering if it is a good idea to let other users know the
origin of a connection to all the users. Let's imagine the case where
for example the same user name is used for non-SSL and SSL sessions.
This could give a hint of the activity on the server..
However, feel free to ignore those concerns if you think the current
situation is fine...
Well, I do think the current one is OK, but I don't want to ignore the comment anyway :) Happy to hear comments from others as well.
pgsql-hackers by date: