| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | using explicit_bzero |
| Date: | 2019-06-21 07:25:43 |
| Message-ID: | 42d26bde-5d5b-c90d-87ae-6cab875f73be@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
In a recent thread[0], the existence of explicit_bzero() was mentioned.
I went to look where we could use that to clear sensitive information
from memory and found a few candidates:
- In be-secure-common.c, clear the entered SSL passphrase in the error
path. (In the non-error path, the buffer belongs to OpenSSL.)
- In libpq, clean up after reading .pgpass. Otherwise, the entire file
including all passwords potentially remains in memory.
- In libpq, clear the password after a connection is closed
(freePGconn/part of PQfinish).
- pg_hba.conf could potentially contain passwords for LDAP, so that
should maybe also be cleared, but the structure of that code would make
that more involved, so I skipped that for now. Efforts are probably
better directed at providing facilities to avoid having to do that.[1]
Any other ones?
A patch that implements the first three is attached.
[0]:
https://www.postgresql.org/message-id/043403c2-f04d-3a69-aa8a-9bb7b9ce8e5b@iki.fi
[1]:
https://www.postgresql.org/message-id/flat/CA%2BhUKGJ44ssWhcKP1KYK2Dm9_XXk1_b629_qSDUhH1fWfuAvXg%40mail.gmail.com
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Use-explicit_bzero.patch | text/plain | 4.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John Naylor | 2019-06-21 07:36:48 | Re: benchmarking Flex practices |
| Previous Message | Dean Rasheed | 2019-06-21 07:09:18 | Re: Multivariate MCV list vs. statistics target |