Re: More detailed auth info

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: More detailed auth info
Date: 2011-01-21 15:34:05
Message-ID: AANLkTi=EcZQwZZFBLJOBGsOe=vSOnVL-fZxp9jgUbw4e@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Jan 21, 2011 at 16:32, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Fri, Jan 21, 2011 at 10:14 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> On Fri, Jan 21, 2011 at 15:51, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>>> I came across a case this week where I wanted to be able to determine
>>>> more detailed auth information on already logged in sessions - not
>>>> from the client, but from the server. In this specific case, I wanted
>>>> to examine the "is ssl" flag on the connection. But I can see other
>>>> things being interesting, such as which user is on the other end (when
>>>> pg_ident is in use), more detailed SSL information, full kerberos
>>>> principal when kerberos in use etc.
>>>
>>>> I doubt this is common enough to want to stick it in pg_stat_activity
>>>> though, but what do people think? And if not there, as a separate view
>>>> or just as a function to call (e.g.
>>>> pg_get_detailed_authinfo(<backendpid>))
>>>
>>> By and large, it's been thought to be a possible security hole to expose
>>> such information, except possibly in the postmaster log.  I'm certainly
>>> *not* in favor of creating a view for it.
>>
>> Well, it would obviously be superuser only.
>
> What if the user's password is in their connection string?

Um, none of the fields I've suggested so far was "connection string".
In fact, that would be Pretty Darn Hard without modifying the client
to actually *send* the connection string. Which id doesn't.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2011-01-21 15:34:42 Re: pg_dump directory archive format / parallel pg_dump
Previous Message Heikki Linnakangas 2011-01-21 15:33:53 Re: Sync Rep for 2011CF1