Re: Information of pg_stat_ssl visible to all users

On 7/2/15 3:29 PM, Magnus Hagander wrote:
> On Thu, Jul 2, 2015 at 5:40 PM, Peter Eisentraut <peter_e(at)gmx(dot)net
> <mailto:peter_e(at)gmx(dot)net>> wrote:
>
> On 6/10/15 2:17 AM, Magnus Hagander wrote:
> > AIUI that one was just about the DN field, and not about the rest. If I
> > understand you correctly, you are referring to the whole thing, not just
> > one field?
>
> I think at least the DN field shouldn't be visible to unprivileged
> users.
>
> What's the argument for that? I mean, the DN field is the equivalent of
> the username, and we show the username in pg_stat_activity already. Are
> you envisioning a scenario where there is actually something secret in
> the DN?

I think the DN is analogous to the remote user name, which we don't
expose for any of the other authentication methods.

> Actually, I think the whole view shouldn't be accessible to unprivileged
> users, except maybe your own row.
>
>
> I could go for some of the others if we think there's reason, but I
> don't understand the dn part?
>
> I guess there's some consistency in actually blocking exactly everything...

I think the default approach for security and authentication related
information should be conservative, even if there is not a specific
reason. Or to put it another way: What is the motivation for showing
this information at all?