Re: Exposure related to GUC value of ssl_passphrase_command

Hello.

On Tue, Nov 5, 2019 at 5:15 PM Moon, Insung <tsukiwamoon(dot)pgsql(at)gmail(dot)com> wrote:
> Deal Hackers.
>
> The value of ssl_passphrase_command is set so that an external command
> is called when the passphrase for decrypting an SSL file such as a
> private key is obtained.
> Therefore, easily set to work with echo "passphrase" or call to
> another get of passphrase application.
>
> I think that this GUC value doesn't contain very sensitive data,
> but just in case, it's dangerous to be visible to all users.
> I think do not possible these cases, but if a used echo external
> commands or another external command, know what application used to
> get the password, maybe we can't be convinced that there's the safety
> of using abuse by backtracking on applications.
> So I think to the need only superusers or users with the default role
> of pg_read_all_settings should see these values.
>
> Patch is very simple.
> How do you think about my thoughts like this?

I'm hardly an expert on this topic, but reading this blog post about
ssl_passphrase_command:

https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/

which mentions that some users might go with the very naive
configuration such as:

ssl_passphrase_command = 'echo "secret"'

maybe it makes sense to protect its value from everyone but superusers.

So +1.

Thanks,
Amit