| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
| Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, José Luis Tallón <jltallon(at)adv-solutions(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: RFC: Non-user-resettable SET SESSION AUTHORISATION |
| Date: | 2015-05-19 20:49:26 |
| Message-ID: | CA+TgmoaUav+WNGDDqhQ3CCZeGtrGotjoGfUJqkhgwgPZbLUf0g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, May 19, 2015 at 3:00 PM, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
> As long as the cookie is randomly generated for each use, then I don't see a
> practical problem with that approach.
If the client sets the cookie via an SQL command, that command would
be written to the log, and displayed in pg_stat_activity. A malicious
user might be able to get it from one of those places.
A malicious user might also be able to just guess it. I don't really
want to create a situation where any weakess in pgpool's random number
generation becomes a privilege-escalation attack.
A protocol extension avoids all of that trouble, and can be target for
9.6 just like any other approach we might come up with. I actually
suspect the protocol extension will be FAR easier to fully secure, and
thus less work, not more.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2015-05-19 20:49:50 | Re: INSERT ... ON CONFLICT DO UPDATE with _any_ constraint |
| Previous Message | Robert Haas | 2015-05-19 20:44:12 | Re: RFC: Non-user-resettable SET SESSION AUTHORISATION |