Thread: Permission select pg_stat_replication
Hello, Could someone tell me what permission is required to select * from pg_stat_replication; ? I like to setup a monitor to query database with minimal privileges necessary. TIA, Jesse
Jesse, * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: > Could someone tell me what permission is required to > select * from pg_stat_replication; ? Currently, you're required to have superuser rights. > I like to setup a monitor to query database with minimal privileges necessary. I agree 110% and am actively working to fix exactly this issue. I hope to have a patch in the next day or so which will allow you to GRANT rights to such a monitor user which will allow that user to see all the contents of pg_stat_replication. One thing which would be really great is if you have time to test with the patch I'm working up (it's against 9.5, but this is strictly functionality testing and should be just in in a dev/test environment, I wouldn't suggest running 9.5 in production, of course!). Thanks! Stephen
Attachment
> Jesse, > > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: >> Could someone tell me what permission is required to >> select * from pg_stat_replication; ? > > Currently, you're required to have superuser rights. > >> I like to setup a monitor to query database with minimal privileges >> necessary. > > I agree 110% and am actively working to fix exactly this issue. I hope > to have a patch in the next day or so which will allow you to GRANT > rights to such a monitor user which will allow that user to see all the > contents of pg_stat_replication. > > One thing which would be really great is if you have time to test with > the patch I'm working up (it's against 9.5, but this is strictly > functionality testing and should be just in in a dev/test environment, > I wouldn't suggest running 9.5 in production, of course!). Hello, This can functional? SET SESSION AUTHORIZATION postgres; GRANT SELECT ON pg_stat_replication TO usuario1; ¿?¿?¿?¿?¿? Saludos, Gilberto Castillo La Habana, Cuba --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto, * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: > > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: > >> Could someone tell me what permission is required to > >> select * from pg_stat_replication; ? > > > > Currently, you're required to have superuser rights. > > > >> I like to setup a monitor to query database with minimal privileges > >> necessary. > > > > I agree 110% and am actively working to fix exactly this issue. I hope > > to have a patch in the next day or so which will allow you to GRANT > > rights to such a monitor user which will allow that user to see all the > > contents of pg_stat_replication. > > > > One thing which would be really great is if you have time to test with > > the patch I'm working up (it's against 9.5, but this is strictly > > functionality testing and should be just in in a dev/test environment, > > I wouldn't suggest running 9.5 in production, of course!). [...] > SET SESSION AUTHORIZATION postgres; > > GRANT SELECT ON pg_stat_replication TO usuario1; This is (essentially) what I'm hoping to enable. Note that this won't do anything for you today as the view is already available to all users on the system and it's actually the function underneath which is filtering the result set. Thanks! Stephen
Attachment
> Gilberto, > > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: >> >> Could someone tell me what permission is required to >> >> select * from pg_stat_replication; ? >> > >> > Currently, you're required to have superuser rights. >> > >> >> I like to setup a monitor to query database with minimal privileges >> >> necessary. >> > >> > I agree 110% and am actively working to fix exactly this issue. I >> hope >> > to have a patch in the next day or so which will allow you to GRANT >> > rights to such a monitor user which will allow that user to see all >> the >> > contents of pg_stat_replication. >> > >> > One thing which would be really great is if you have time to test with >> > the patch I'm working up (it's against 9.5, but this is strictly >> > functionality testing and should be just in in a dev/test environment, >> > I wouldn't suggest running 9.5 in production, of course!). > [...] >> SET SESSION AUTHORIZATION postgres; >> >> GRANT SELECT ON pg_stat_replication TO usuario1; > > This is (essentially) what I'm hoping to enable. Note that this won't > do anything for you today as the view is already available to all users > on the system and it's actually the function underneath which is > filtering the result set. > Uhmmm, ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO usuario1; Nor does it work? Saludos, Gilberto Castillo La Habana, Cuba --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto, * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: > > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: > >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: > >> >> Could someone tell me what permission is required to > >> >> select * from pg_stat_replication; ? > >> > > >> > Currently, you're required to have superuser rights. > >> > > >> >> I like to setup a monitor to query database with minimal privileges > >> >> necessary. > >> > > >> > I agree 110% and am actively working to fix exactly this issue. I > >> hope > >> > to have a patch in the next day or so which will allow you to GRANT > >> > rights to such a monitor user which will allow that user to see all > >> the > >> > contents of pg_stat_replication. > >> > > >> > One thing which would be really great is if you have time to test with > >> > the patch I'm working up (it's against 9.5, but this is strictly > >> > functionality testing and should be just in in a dev/test environment, > >> > I wouldn't suggest running 9.5 in production, of course!). > > [...] > >> SET SESSION AUTHORIZATION postgres; > >> > >> GRANT SELECT ON pg_stat_replication TO usuario1; > > > > This is (essentially) what I'm hoping to enable. Note that this won't > > do anything for you today as the view is already available to all users > > on the system and it's actually the function underneath which is > > filtering the result set. > > ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO > usuario1; > > Nor does it work? No. Feel free to try, but there's an explicit check in the C code which is what the SQL-level function that's under the view is calling. In current 9.5/master, at least, it's at: src/backend/replication/walsender.c:2797 if (!superuser()) { /* * Only superusers can see details. Other users only get the pid * value to know it's a walsender, but no details. */ MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); } Thanks, Stephen
Attachment
> Gilberto, > > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: >> > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: >> >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: >> >> >> Could someone tell me what permission is required to >> >> >> select * from pg_stat_replication; ? >> >> > >> >> > Currently, you're required to have superuser rights. >> >> > >> >> >> I like to setup a monitor to query database with minimal >> privileges >> >> >> necessary. >> >> > >> >> > I agree 110% and am actively working to fix exactly this issue. I >> >> hope >> >> > to have a patch in the next day or so which will allow you to GRANT >> >> > rights to such a monitor user which will allow that user to see all >> >> the >> >> > contents of pg_stat_replication. >> >> > >> >> > One thing which would be really great is if you have time to test >> with >> >> > the patch I'm working up (it's against 9.5, but this is strictly >> >> > functionality testing and should be just in in a dev/test >> environment, >> >> > I wouldn't suggest running 9.5 in production, of course!). >> > [...] >> >> SET SESSION AUTHORIZATION postgres; >> >> >> >> GRANT SELECT ON pg_stat_replication TO usuario1; >> > >> > This is (essentially) what I'm hoping to enable. Note that this won't >> > do anything for you today as the view is already available to all >> users >> > on the system and it's actually the function underneath which is >> > filtering the result set. >> >> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO >> usuario1; >> >> Nor does it work? > > No. Feel free to try, but there's an explicit check in the C code which > is what the SQL-level function that's under the view is calling. In > current 9.5/master, at least, it's at: > > src/backend/replication/walsender.c:2797 > > if (!superuser()) > { > /* > * Only superusers can see details. Other users only get the > pid > * value to know it's a walsender, but no details. > */ > MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); > } > Thanks Stephen for you information. Rgds, Gilberto Castillo La Habana, Cuba --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Stephen, Thanks for the information. We are currently running 9.2 instance which we are using streaming replication for DR. I do not see an upgrade anytime in the near future to 9.4 or later due to specfic requirements for our application. Will your modifications be backported to 9.2? TIA, Jesse ps, sorry gilberto, selected wrong send to On Tue, Mar 31, 2015 at 10:47 AM, Gilberto Castillo <gilberto.castillo@etecsa.cu> wrote: > > >> Gilberto, >> >> * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: >>> > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: >>> >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: >>> >> >> Could someone tell me what permission is required to >>> >> >> select * from pg_stat_replication; ? >>> >> > >>> >> > Currently, you're required to have superuser rights. >>> >> > >>> >> >> I like to setup a monitor to query database with minimal >>> privileges >>> >> >> necessary. >>> >> > >>> >> > I agree 110% and am actively working to fix exactly this issue. I >>> >> hope >>> >> > to have a patch in the next day or so which will allow you to GRANT >>> >> > rights to such a monitor user which will allow that user to see all >>> >> the >>> >> > contents of pg_stat_replication. >>> >> > >>> >> > One thing which would be really great is if you have time to test >>> with >>> >> > the patch I'm working up (it's against 9.5, but this is strictly >>> >> > functionality testing and should be just in in a dev/test >>> environment, >>> >> > I wouldn't suggest running 9.5 in production, of course!). >>> > [...] >>> >> SET SESSION AUTHORIZATION postgres; >>> >> >>> >> GRANT SELECT ON pg_stat_replication TO usuario1; >>> > >>> > This is (essentially) what I'm hoping to enable. Note that this won't >>> > do anything for you today as the view is already available to all >>> users >>> > on the system and it's actually the function underneath which is >>> > filtering the result set. >>> >>> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO >>> usuario1; >>> >>> Nor does it work? >> >> No. Feel free to try, but there's an explicit check in the C code which >> is what the SQL-level function that's under the view is calling. In >> current 9.5/master, at least, it's at: >> >> src/backend/replication/walsender.c:2797 >> >> if (!superuser()) >> { >> /* >> * Only superusers can see details. Other users only get the >> pid >> * value to know it's a walsender, but no details. >> */ >> MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); >> } >> > > > Thanks Stephen for you information. > > > Rgds, > Gilberto Castillo > La Habana, Cuba > > --- > This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu > Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com> >
As an adhoc solution on 9.2, you can do something like this:
1. Create a function that extracts all from pg_stat_replication:
create or replace function pg_stat_repl() returns setof pg_catalog.pg_stat_replication as $$begin return query(select * from pg_catalog.pg_stat_replication); end$$ language plpgsql security definer;
2. Create a view that uses this function to get data in it:
create view public.pg_stat_repl as select * from pg_stat_repl();
3. Grant select on this view to your unprivileged user, sat 'common_user' :
After this, you can do a select on this view to get the required information. You can do this for other pg_catalog functions as well. Reference - https://github.com/xzilla/secure_check_postgres/blob/master/sql/pg_stat_activity.sqlgrant select on public.pg_stat_repl to common_user;
On Tue, Mar 31, 2015 at 1:52 PM, <jesse.waters@gmail.com> wrote:
Stephen,
Thanks for the information. We are currently running 9.2 instance
which we are using streaming replication for DR. I do not see an
upgrade anytime in the near future to 9.4 or later due to specfic
requirements for our application.
Will your modifications be backported to 9.2?
TIA,
Jesse
ps, sorry gilberto, selected wrong send to> ---
On Tue, Mar 31, 2015 at 10:47 AM, Gilberto Castillo
<gilberto.castillo@etecsa.cu> wrote:
>
>
>> Gilberto,
>>
>> * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote:
>>> > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote:
>>> >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote:
>>> >> >> Could someone tell me what permission is required to
>>> >> >> select * from pg_stat_replication; ?
>>> >> >
>>> >> > Currently, you're required to have superuser rights.
>>> >> >
>>> >> >> I like to setup a monitor to query database with minimal
>>> privileges
>>> >> >> necessary.
>>> >> >
>>> >> > I agree 110% and am actively working to fix exactly this issue. I
>>> >> hope
>>> >> > to have a patch in the next day or so which will allow you to GRANT
>>> >> > rights to such a monitor user which will allow that user to see all
>>> >> the
>>> >> > contents of pg_stat_replication.
>>> >> >
>>> >> > One thing which would be really great is if you have time to test
>>> with
>>> >> > the patch I'm working up (it's against 9.5, but this is strictly
>>> >> > functionality testing and should be just in in a dev/test
>>> environment,
>>> >> > I wouldn't suggest running 9.5 in production, of course!).
>>> > [...]
>>> >> SET SESSION AUTHORIZATION postgres;
>>> >>
>>> >> GRANT SELECT ON pg_stat_replication TO usuario1;
>>> >
>>> > This is (essentially) what I'm hoping to enable. Note that this won't
>>> > do anything for you today as the view is already available to all
>>> users
>>> > on the system and it's actually the function underneath which is
>>> > filtering the result set.
>>>
>>> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO
>>> usuario1;
>>>
>>> Nor does it work?
>>
>> No. Feel free to try, but there's an explicit check in the C code which
>> is what the SQL-level function that's under the view is calling. In
>> current 9.5/master, at least, it's at:
>>
>> src/backend/replication/walsender.c:2797
>>
>> if (!superuser())
>> {
>> /*
>> * Only superusers can see details. Other users only get the
>> pid
>> * value to know it's a walsender, but no details.
>> */
>> MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1);
>> }
>>
>
>
> Thanks Stephen for you information.
>
>
> Rgds,
> Gilberto Castillo
> La Habana, Cuba
>
> This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu
> Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>>
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Payal, This doesn't actually do what you appear to think it does.. * Payal Singh (payal@omniti.com) wrote: > As an adhoc solution on 9.2, you can do something like this: > > 1. Create a function that extracts all from pg_stat_replication: > > create or replace function pg_stat_repl() returns setof > pg_catalog.pg_stat_replication as $$begin return query(select * from > pg_catalog.pg_stat_replication); end$$ language plpgsql security definer; This function is now available to be used by all users on the system. Should you revoke EXECUTE rights on this function from PUBLIC, the view you build on top of it will no longer work for users who have access to it. Functions in view definitions are run with the privileges of the user selecting against the view, *not* the owner of the view. Privilege checks for *tables* referenced in views is done as the owner of the view. > 2. Create a view that uses this function to get data in it: > > create view public.pg_stat_repl as select * from pg_stat_repl(); Even if this actually worked (which it doesn't, see above), I suspect you'd have to mark this a security barrier view. > After this, you can do a select on this view to get the required > information. You can do this for other pg_catalog functions as well. > Reference - > https://github.com/xzilla/secure_check_postgres/blob/master/sql/pg_stat_activity.sql What you link to here is better- it revokes access both to the function and to the view. Both would have to then be granted specifically to the monitor user. What sucks about all of this, of course, is that the monitoring code has already been written and there isn't a standard set of functions/views like this in core for it to depend on. The approach I'm going for is to remove the hard-coded checks and re-implement them at the SQL level, allowing administrators to grant access to the base functions for monitoring users and then have the monitoring systems updated to use those functions instead. This makes more sense, to me at least, than duplicating everything or having wrapper functions which do the check and are the "secured" version and then functions also exposed at the SQL level which are "unsecured" and then have privileges to them REVOKE'd. I'm certainly interested in other thoughts on this though and there is a thread over on -hackers about it, which is where further discussion on this belongs. Thanks! Stephen
Attachment
Jesse, No, it's a new feature and will not be back-patched. 9.2 will be deprecated in a few years anyway, so I suggest you work out what your upgrade plans will be sooner rather than later as staying on 9.2 indefinitely is not a supportable option. Thanks! Stephen * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: > Stephen, > > Thanks for the information. We are currently running 9.2 instance > which we are using streaming replication for DR. I do not see an > upgrade anytime in the near future to 9.4 or later due to specfic > requirements for our application. > > Will your modifications be backported to 9.2? > > TIA, > > Jesse > > > ps, sorry gilberto, selected wrong send to > > On Tue, Mar 31, 2015 at 10:47 AM, Gilberto Castillo > <gilberto.castillo@etecsa.cu> wrote: > > > > > >> Gilberto, > >> > >> * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: > >>> > * Gilberto Castillo (gilberto.castillo@etecsa.cu) wrote: > >>> >> > * jesse.waters@gmail.com (jesse.waters@gmail.com) wrote: > >>> >> >> Could someone tell me what permission is required to > >>> >> >> select * from pg_stat_replication; ? > >>> >> > > >>> >> > Currently, you're required to have superuser rights. > >>> >> > > >>> >> >> I like to setup a monitor to query database with minimal > >>> privileges > >>> >> >> necessary. > >>> >> > > >>> >> > I agree 110% and am actively working to fix exactly this issue. I > >>> >> hope > >>> >> > to have a patch in the next day or so which will allow you to GRANT > >>> >> > rights to such a monitor user which will allow that user to see all > >>> >> the > >>> >> > contents of pg_stat_replication. > >>> >> > > >>> >> > One thing which would be really great is if you have time to test > >>> with > >>> >> > the patch I'm working up (it's against 9.5, but this is strictly > >>> >> > functionality testing and should be just in in a dev/test > >>> environment, > >>> >> > I wouldn't suggest running 9.5 in production, of course!). > >>> > [...] > >>> >> SET SESSION AUTHORIZATION postgres; > >>> >> > >>> >> GRANT SELECT ON pg_stat_replication TO usuario1; > >>> > > >>> > This is (essentially) what I'm hoping to enable. Note that this won't > >>> > do anything for you today as the view is already available to all > >>> users > >>> > on the system and it's actually the function underneath which is > >>> > filtering the result set. > >>> > >>> ALTER DEFAULT PRIVILEGES FOR ROLE postgres GRANT SELECT ON VIEWS TO > >>> usuario1; > >>> > >>> Nor does it work? > >> > >> No. Feel free to try, but there's an explicit check in the C code which > >> is what the SQL-level function that's under the view is calling. In > >> current 9.5/master, at least, it's at: > >> > >> src/backend/replication/walsender.c:2797 > >> > >> if (!superuser()) > >> { > >> /* > >> * Only superusers can see details. Other users only get the > >> pid > >> * value to know it's a walsender, but no details. > >> */ > >> MemSet(&nulls[1], true, PG_STAT_GET_WAL_SENDERS_COLS - 1); > >> } > >> > > > > > > Thanks Stephen for you information. > > > > > > Rgds, > > Gilberto Castillo > > La Habana, Cuba > > > > --- > > This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu > > Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com> > > > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin
Attachment
Hey Jesse,
--
you should be able to use secure_check_postgres method to avoid granting SUPER permission on monitoring user.
Example:
1. Create a function that extracts all from pg_stat_replication:
create or replace function pg_stat_repl() returns setof pg_catalog.pg_stat_replication as $$begin return query(select * from pg_catalog.pg_stat_replication); end$$ language plpgsql security definer;
2. Create a view that uses this function to get data in it:
create view public.pg_stat_repl as select * from pg_stat_repl();
3. Grant select on this view to your unprivileged user, sat 'common_user' :
After this, you can do a select on this view to get the required information. You can do this for other pg_catalog functions as well. Reference - https://github.com/xzilla/secure_check_postgres/blob/master/sql/pg_stat_activity.sqlgrant select on public.pg_stat_repl to common_user;
Hope this helps.
On Tue, Mar 31, 2015 at 8:47 AM, <jesse.waters@gmail.com> wrote:
Hello,
Could someone tell me what permission is required to
select * from pg_stat_replication; ?
I like to setup a monitor to query database with minimal privileges necessary.
TIA,
Jesse
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Denish Patel,
OmniTI Computer Consulting Inc.
Database Architect,
http://omniti.com/does/data-management
OmniTI Computer Consulting Inc.
Database Architect,
http://omniti.com/does/data-management
* Denish Patel (denish@omniti.com) wrote: > you should be able to use secure_check_postgres method to avoid granting > SUPER permission on monitoring user. [...] Denish, Please see my reply to Payal. This doesn't work. At the very least, the permissions on the pg_stat_repl() function need to be adjusted to be only GRANT'd to the monitoring user, otherwise the information is available to everyone. If that's the intent, then the view might as well be granted to PUBLIC. Recall that, by defualt, EXECUTE on a function is granted to PUBLIC. Thanks, Stephen
Attachment
Fair enough but they should be able to achieve their goal to avoid granting SUPER to monitoring user. They have to tweak the grant/revoke as desired.
--
On Wed, Apr 1, 2015 at 11:53 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Denish Patel (denish@omniti.com) wrote:
> you should be able to use secure_check_postgres method to avoid granting
> SUPER permission on monitoring user.
[...]
Denish,
Please see my reply to Payal. This doesn't work. At the very least,
the permissions on the pg_stat_repl() function need to be adjusted to be
only GRANT'd to the monitoring user, otherwise the information is
available to everyone. If that's the intent, then the view might as
well be granted to PUBLIC.
Recall that, by defualt, EXECUTE on a function is granted to PUBLIC.
Thanks,
Stephen
Denish Patel,
OmniTI Computer Consulting Inc.
Database Architect,
http://omniti.com/does/data-management
OmniTI Computer Consulting Inc.
Database Architect,
http://omniti.com/does/data-management