Re: RFC: Non-user-resettable SET SESSION AUTHORISATION

On 19 May 2015 at 16:49, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

> On Tue, May 19, 2015 at 3:00 PM, Simon Riggs <simon(at)2ndquadrant(dot)com>
> wrote:
> > As long as the cookie is randomly generated for each use, then I don't
> see a
> > practical problem with that approach.
>
> If the client sets the cookie via an SQL command, that command would
> be written to the log, and displayed in pg_stat_activity. A malicious
> user might be able to get it from one of those places.
>
> A malicious user might also be able to just guess it. I don't really
> want to create a situation where any weakess in pgpool's random number
> generation becomes a privilege-escalation attack.
>
> A protocol extension avoids all of that trouble, and can be target for
> 9.6 just like any other approach we might come up with. I actually
> suspect the protocol extension will be FAR easier to fully secure, and
> thus less work, not more.

That's a reasonable argument. So +1 to protocol from me.

To satisfy Tom, I think this would need to have two modes: one where the
session can never be reset, for ultra security, and one where the session
can be reset, which allows security and speed of pooling.

--
Simon Riggs http://www.2ndQuadrant.com/
<http://www.2ndquadrant.com/>
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services