Re: pgsql: Keep pg_stat_statements' query texts in a file, not in shared me

Peter Geoghegan <pg(at)heroku(dot)com> writes:
> On Mon, Jan 27, 2014 at 5:12 PM, KONDO Mitsumasa
> <kondo(dot)mitsumasa(at)lab(dot)ntt(dot)co(dot)jp> wrote:
>> This patch has security problem that root can easily see the statement file
>> in database cluster.

> By default, we always serialize statements along with their query
> texts to disk on shutdown. Until May of 2012, pg_stat_statements
> didn't bother unlinking on startup, and so the file with query texts
> was always on the PGDATA filesystem. What's the difference?

Root can certainly also look at query texts in shared memory, or for that
matter in the local memory of any process. So can anybody else running as
the postgres userid.

Also, current query texts are probably less interesting to an intruder
than the contents of the database itself, which is stored in the same
directory tree with the same permissions (0600) as the query-text file.

So I'm failing to detect any incremental increase in risk here. Anybody
who can read that file can already do pretty much whatever he wants with
either the server processes or the database contents.

regards, tom lane