From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Audit of logout |
Date: | 2014-06-21 03:59:24 |
Message-ID: | 53A5031C.70506@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/13/2014 07:29 AM, Tom Lane wrote:
> Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
>> On Thu, Jun 12, 2014 at 8:51 PM, Fujii Masao
>> <masao(dot)fujii(at)gmail(dot)com> wrote:
>>> Some users enable log_disconnections in postgresql.conf to
>>> audit all logouts. But since log_disconnections is defined with
>>> PGC_BACKEND, it can be changed at connection start. This means
>>> that any client (even nonsuperuser) can freely disable
>>> log_disconnections not to log his or her logout even when the
>>> system admin enables it in postgresql.conf. Isn't this
>>> problematic for audit?
>
>> That's harmful for audit purpose. I think that we should make
>> log_disconnections PGC_SUSET rather than PGC_BACKEND in order to
>> forbid non-superusers from changing its setting. Attached patch
>> does this.
This whole argument seems wrong unless I'm missing something:
test=# set log_connections = on;
ERROR: parameter "log_connections" cannot be set after connection start
test=# set log_disconnections = off;
ERROR: parameter "log_disconnections" cannot be set after connection
start
> I wonder whether we should just get rid of log_disconnections as a
> separate variable, instead logging disconnections when
> log_connections is set.
That might be a good idea though.
> Another answer is to make both variables PGC_SIGHUP, on the
> grounds that it doesn't make much sense for them not to be applied
> system-wide; except that I think there was some idea that logging
> might be enabled per-user or per-database using ALTER
> ROLE/DATABASE.
I don't think this is a good idea because of the reason you mention.
Joe
- --
Joe Conway
credativ LLC: http://www.credativ.us
Linux, PostgreSQL, and general Open Source
Training, Service, Consulting, & 24x7 Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTpQMcAAoJEDfy90M199hltHAP/2hEnKymoEq6zryaSpHZ2j0O
mj/8bEzCgYR/S4KUW8uqCzYK0g3HD5ncXJZkqpnaYvySV5YnopeUjuHaXxZOmuxx
GSbtmxo0wE5cYfEartVsX+ve0j7uSUwXBYZWD3em9FXNwFMnfVt3E/izwmHEnC7u
pIFHz6wKn6/QKaU9u/XRln4SZOAzeh4aYaHZy+5mhmGoU8fIJtZvdjEJSuAxxgzm
LMKGM/hgF23itpjjutDxQNoTUP+JGh0WzwqeW1t4+Y6T7HqXeTeT4IWsw3AH5sPg
e/NM+x4oeX9In6Gn4MLwT4R5Qai/JnaKGpzUv0jXlWPPvB23ilsb87eJ0BdbKDu1
LyxH16bH23DYL9LW+GAULRoMP78PLMKh4Mx2pe9KSL9tEBENvYpf+ew3IOfRmTlD
MAQRvhzspjPWp1AMQ9eNjX+63mpAeTBfHOBlVKUznhljHdDN7rcwpOzL82ecowDi
nM9bC+Me1jabaxRdu2cxt+p28BB5Ez3CX2wOz2JpM0ObruneoFhYCKXM9fUaD1d2
zJXiNtD7VgsUUtz+DGrNB32PyvzguhK0MXpX6/kRl5L1Xkpa4L+AV1nXWCkJYD6D
+btVgDscfnlWo1lQimq7B0KVET4zXnyI97vE7Xx0U7mvo8FZ8SQQHhbA7iy4P2SI
HUlqaKVcx2PLgoRAEEfL
=vQd8
-----END PGP SIGNATURE-----
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2014-06-21 04:08:55 | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? |
Previous Message | Tom Lane | 2014-06-21 03:40:31 | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? |