Thread: More detailed auth info

More detailed auth info

From
Magnus Hagander
Date:
I came across a case this week where I wanted to be able to determine
more detailed auth information on already logged in sessions - not
from the client, but from the server. In this specific case, I wanted
to examine the "is ssl" flag on the connection. But I can see other
things being interesting, such as which user is on the other end (when
pg_ident is in use), more detailed SSL information, full kerberos
principal when kerberos in use etc.

I doubt this is common enough to want to stick it in pg_stat_activity
though, but what do people think? And if not there, as a separate view
or just as a function to call (e.g.
pg_get_detailed_authinfo(<backendpid>))

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


Re: More detailed auth info

From
Tom Lane
Date:
Magnus Hagander <magnus@hagander.net> writes:
> I came across a case this week where I wanted to be able to determine
> more detailed auth information on already logged in sessions - not
> from the client, but from the server. In this specific case, I wanted
> to examine the "is ssl" flag on the connection. But I can see other
> things being interesting, such as which user is on the other end (when
> pg_ident is in use), more detailed SSL information, full kerberos
> principal when kerberos in use etc.

> I doubt this is common enough to want to stick it in pg_stat_activity
> though, but what do people think? And if not there, as a separate view
> or just as a function to call (e.g.
> pg_get_detailed_authinfo(<backendpid>))

By and large, it's been thought to be a possible security hole to expose
such information, except possibly in the postmaster log.  I'm certainly
*not* in favor of creating a view for it.
        regards, tom lane


Re: More detailed auth info

From
Magnus Hagander
Date:
On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> I came across a case this week where I wanted to be able to determine
>> more detailed auth information on already logged in sessions - not
>> from the client, but from the server. In this specific case, I wanted
>> to examine the "is ssl" flag on the connection. But I can see other
>> things being interesting, such as which user is on the other end (when
>> pg_ident is in use), more detailed SSL information, full kerberos
>> principal when kerberos in use etc.
>
>> I doubt this is common enough to want to stick it in pg_stat_activity
>> though, but what do people think? And if not there, as a separate view
>> or just as a function to call (e.g.
>> pg_get_detailed_authinfo(<backendpid>))
>
> By and large, it's been thought to be a possible security hole to expose
> such information, except possibly in the postmaster log.  I'm certainly
> *not* in favor of creating a view for it.

Well, it would obviously be superuser only.

Would you object to a function as well?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


Re: More detailed auth info

From
Robert Haas
Date:
On Fri, Jan 21, 2011 at 10:14 AM, Magnus Hagander <magnus@hagander.net> wrote:
> On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Magnus Hagander <magnus@hagander.net> writes:
>>> I came across a case this week where I wanted to be able to determine
>>> more detailed auth information on already logged in sessions - not
>>> from the client, but from the server. In this specific case, I wanted
>>> to examine the "is ssl" flag on the connection. But I can see other
>>> things being interesting, such as which user is on the other end (when
>>> pg_ident is in use), more detailed SSL information, full kerberos
>>> principal when kerberos in use etc.
>>
>>> I doubt this is common enough to want to stick it in pg_stat_activity
>>> though, but what do people think? And if not there, as a separate view
>>> or just as a function to call (e.g.
>>> pg_get_detailed_authinfo(<backendpid>))
>>
>> By and large, it's been thought to be a possible security hole to expose
>> such information, except possibly in the postmaster log.  I'm certainly
>> *not* in favor of creating a view for it.
>
> Well, it would obviously be superuser only.

What if the user's password is in their connection string?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


Re: More detailed auth info

From
Magnus Hagander
Date:
On Fri, Jan 21, 2011 at 16:32, Robert Haas <robertmhaas@gmail.com> wrote:
> On Fri, Jan 21, 2011 at 10:14 AM, Magnus Hagander <magnus@hagander.net> wrote:
>> On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Magnus Hagander <magnus@hagander.net> writes:
>>>> I came across a case this week where I wanted to be able to determine
>>>> more detailed auth information on already logged in sessions - not
>>>> from the client, but from the server. In this specific case, I wanted
>>>> to examine the "is ssl" flag on the connection. But I can see other
>>>> things being interesting, such as which user is on the other end (when
>>>> pg_ident is in use), more detailed SSL information, full kerberos
>>>> principal when kerberos in use etc.
>>>
>>>> I doubt this is common enough to want to stick it in pg_stat_activity
>>>> though, but what do people think? And if not there, as a separate view
>>>> or just as a function to call (e.g.
>>>> pg_get_detailed_authinfo(<backendpid>))
>>>
>>> By and large, it's been thought to be a possible security hole to expose
>>> such information, except possibly in the postmaster log.  I'm certainly
>>> *not* in favor of creating a view for it.
>>
>> Well, it would obviously be superuser only.
>
> What if the user's password is in their connection string?

Um, none of the fields I've suggested so far was "connection string".
In fact, that would be Pretty Darn Hard without modifying the client
to actually *send* the connection string. Which id doesn't.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


Re: More detailed auth info

From
Robert Haas
Date:
On Fri, Jan 21, 2011 at 10:34 AM, Magnus Hagander <magnus@hagander.net> wrote:
> Um, none of the fields I've suggested so far was "connection string".
> In fact, that would be Pretty Darn Hard without modifying the client
> to actually *send* the connection string. Which id doesn't.

So... is there centralized structure which contains the info you're
thinking of exposing?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


Re: More detailed auth info

From
Magnus Hagander
Date:
On Fri, Jan 21, 2011 at 16:40, Robert Haas <robertmhaas@gmail.com> wrote:
> On Fri, Jan 21, 2011 at 10:34 AM, Magnus Hagander <magnus@hagander.net> wrote:
>> Um, none of the fields I've suggested so far was "connection string".
>> In fact, that would be Pretty Darn Hard without modifying the client
>> to actually *send* the connection string. Which id doesn't.
>
> So... is there centralized structure which contains the info you're
> thinking of exposing?

No, not today. That's what would have to be created. (And before you
or somebody says something, no, it's not on the CF, so this is likely
a 9.2 feature unless that structure thingy turns out to be a lot
*less* code than I think it will)


--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


Re: More detailed auth info

From
Robert Haas
Date:
On Fri, Jan 21, 2011 at 10:43 AM, Magnus Hagander <magnus@hagander.net> wrote:
> On Fri, Jan 21, 2011 at 16:40, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Fri, Jan 21, 2011 at 10:34 AM, Magnus Hagander <magnus@hagander.net> wrote:
>>> Um, none of the fields I've suggested so far was "connection string".
>>> In fact, that would be Pretty Darn Hard without modifying the client
>>> to actually *send* the connection string. Which id doesn't.
>>
>> So... is there centralized structure which contains the info you're
>> thinking of exposing?
>
> No, not today. That's what would have to be created. (And before you
> or somebody says something, no, it's not on the CF, so this is likely
> a 9.2 feature unless that structure thingy turns out to be a lot
> *less* code than I think it will)

Well, unlike Tom, I don't object to the basic idea, but I reserve the
right to object in detail.  :-)

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


Re: More detailed auth info

From
Tom Lane
Date:
Magnus Hagander <magnus@hagander.net> writes:
> On Fri, Jan 21, 2011 at 16:40, Robert Haas <robertmhaas@gmail.com> wrote:
>> So... is there centralized structure which contains the info you're
>> thinking of exposing?

> No, not today.

I think that most of the info Magnus suggested isn't stored at all,
anywhere, at the moment; much less stored in shared memory.
        regards, tom lane


Re: More detailed auth info

From
Robert Haas
Date:
On Fri, Jan 21, 2011 at 11:47 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> On Fri, Jan 21, 2011 at 16:40, Robert Haas <robertmhaas@gmail.com> wrote:
>>> So... is there centralized structure which contains the info you're
>>> thinking of exposing?
>
>> No, not today.
>
> I think that most of the info Magnus suggested isn't stored at all,
> anywhere, at the moment; much less stored in shared memory.

Oh.

Well, that's another can of worms, then.  I think this conversation is
best deferred at least until we get a 9.1 beta out the door; we're
clearly not going to do anything about it right now...

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company