Re: Information of pg_stat_ssl visible to all users

On Tue, Jun 9, 2015 at 10:55 PM, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
wrote:

> On Tue, Jun 9, 2015 at 3:27 PM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> >
> > On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael(dot)paquier(at)gmail(dot)com>
> wrote:
> >>
> >> Hi all,
> >>
> >> I should have noticed that before, but it happens that pg_stat_ssl
> >> leaks information about the SSL status of all the users connected to a
> >> server. Let's imagine for example:
> >> 1) Session 1 connected through SSL with a superuser:
> >> =# create role toto login;
> >> CREATE ROLE
> >> =# select * from pg_stat_ssl;
> >> pid | ssl | version | cipher | bits |
> >> compression | clientdn
> >>
> >>
> -------+-----+---------+-----------------------------+------+-------------+----------
> >> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
> >> |
> >> (1 row)
> >> 2) New session 2 with previously created user:
> >> => select * from pg_stat_ssl;
> >> pid | ssl | version | cipher | bits |
> >> compression | clientdn
> >>
> >>
> -------+-----+---------+-----------------------------+------+-------------+----------
> >> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
> >> |
> >> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
> >> |
> >> (2 rows)
> >>
> >> Attached is a patch to mask those values to users that should not have
> >> access to it, similarly to the other fields of pg_stat_activity.
> >
> > I don't have the thread around right now (on phone), but didn't we
> discuss
> > this back around the original submission and decide that this was wanted
> > behavior?
>
> Looking back at this thread, it is mentioned here:
> http://www.postgresql.org/message-id/31891.1405175764@sss.pgh.pa.us

AIUI that one was just about the DN field, and not about the rest. If I
understand you correctly, you are referring to the whole thing, not just
one field?

> What actual sensitive data is leaked? If knowing the cipher type makes it
> > easier to hack you have a broken cipher, don't you?
>
> I am just wondering if it is a good idea to let other users know the
> origin of a connection to all the users. Let's imagine the case where
> for example the same user name is used for non-SSL and SSL sessions.
> This could give a hint of the activity on the server..
>
> However, feel free to ignore those concerns if you think the current
> situation is fine...
>

Well, I do think the current one is OK, but I don't want to ignore the
comment anyway :) Happy to hear comments from others as well.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/