Re: Hiding a GUC from SQL

On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote:
> In my extension pgsodium I'm defining a custom variable at startup to store a key:
>
> https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
>
> I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
> and a custom "no show" show hook that obscures the value. This idea was inspired from the
> pgcryptokey module from Bruce Momjian.
>
> The value cannot be shown either with SHOW or current_setting() and it does not appear in pg_settings.
> From what I can tell, the value is inaccessible from SQL, but I think it's worth asking
> the experts if there is some other demonstrable way, from SQL, that this value could be
> leaked even to a superuser. no sql level user should be able to see this value, only a C function,
> like the pgsodium_derive() from which to derive other keys, should be able to see it.
> I realize that someone with external process access can get the key, my goal is to prevent
> accessing it from SQL.
>
> Any thoughts on weaknesses to this approach would be welcome. Thanks!
>
> -Michel

A superuser can access files and start programs on the server machine.

A dedicated superuser may for example attach to PostgreSQL with a debugger
and read the value of the variable.

And if that doesn't work, there may be other things to try.

It is mostly useless to try to keep a superuser from doing anything that
the "postgres" operating system user can do.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com