From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Information of pg_stat_ssl visible to all users |
Date: | 2015-06-09 20:55:16 |
Message-ID: | CAB7nPqRPir6u_LZrG0WC6wZkvuvvzSvd5OOWfqA92ggO3RSzBA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Jun 9, 2015 at 3:27 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
> On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael(dot)paquier(at)gmail(dot)com> wrote:
>>
>> Hi all,
>>
>> I should have noticed that before, but it happens that pg_stat_ssl
>> leaks information about the SSL status of all the users connected to a
>> server. Let's imagine for example:
>> 1) Session 1 connected through SSL with a superuser:
>> =# create role toto login;
>> CREATE ROLE
>> =# select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (1 row)
>> 2) New session 2 with previously created user:
>> => select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (2 rows)
>>
>> Attached is a patch to mask those values to users that should not have
>> access to it, similarly to the other fields of pg_stat_activity.
>
> I don't have the thread around right now (on phone), but didn't we discuss
> this back around the original submission and decide that this was wanted
> behavior?
Looking back at this thread, it is mentioned here:
http://www.postgresql.org/message-id/31891.1405175764@sss.pgh.pa.us
> What actual sensitive data is leaked? If knowing the cipher type makes it
> easier to hack you have a broken cipher, don't you?
I am just wondering if it is a good idea to let other users know the
origin of a connection to all the users. Let's imagine the case where
for example the same user name is used for non-SSL and SSL sessions.
This could give a hint of the activity on the server..
However, feel free to ignore those concerns if you think the current
situation is fine...
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2015-06-09 21:03:47 | Re: [COMMITTERS] pgsql: Add pg_audit, an auditing extension |
Previous Message | David Steele | 2015-06-09 19:54:59 | Re: [COMMITTERS] pgsql: Add pg_audit, an auditing extension |