On 01/27/2014 08:23 PM, Tom Lane wrote:
Peter Geoghegan <p...@heroku.com> writes:
On Mon, Jan 27, 2014 at 5:12 PM, KONDO Mitsumasa
<kondo.mitsum...@lab.ntt.co.jp> wrote:
This patch has security problem that root can easily see the statement file
in database cluster.
By default, we always serialize statements along with their query
texts to disk on shutdown. Until May of 2012, pg_stat_statements
didn't bother unlinking on startup, and so the file with query texts
was always on the PGDATA filesystem. What's the difference?
Root can certainly also look at query texts in shared memory, or for that
matter in the local memory of any process. So can anybody else running as
the postgres userid.
Also, current query texts are probably less interesting to an intruder
than the contents of the database itself, which is stored in the same
directory tree with the same permissions (0600) as the query-text file.
So I'm failing to detect any incremental increase in risk here. Anybody
who can read that file can already do pretty much whatever he wants with
either the server processes or the database contents.
The query texts are particularly uninteresting since I assume the data
values in the query have already been mostly dissolved away by
pg_stat_statements.
cheers
andrew
--
Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-committers
