On Fri, Nov 8, 2019 at 4:24 PM Amit Langote <amitlangot...@gmail.com> wrote: > > Hello. > > On Tue, Nov 5, 2019 at 5:15 PM Moon, Insung <tsukiwamoon.pg...@gmail.com> > wrote: > > Deal Hackers. > > > > The value of ssl_passphrase_command is set so that an external command > > is called when the passphrase for decrypting an SSL file such as a > > private key is obtained. > > Therefore, easily set to work with echo "passphrase" or call to > > another get of passphrase application. > > > > I think that this GUC value doesn't contain very sensitive data, > > but just in case, it's dangerous to be visible to all users. > > I think do not possible these cases, but if a used echo external > > commands or another external command, know what application used to > > get the password, maybe we can't be convinced that there's the safety > > of using abuse by backtracking on applications. > > So I think to the need only superusers or users with the default role > > of pg_read_all_settings should see these values. > > > > Patch is very simple. > > How do you think about my thoughts like this? > > I'm hardly an expert on this topic, but reading this blog post about > ssl_passphrase_command: > > https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/ > > which mentions that some users might go with the very naive > configuration such as: > > ssl_passphrase_command = 'echo "secret"' > > maybe it makes sense to protect its value from everyone but superusers. > > So +1.
Seems this proposal is reasonable. Regards, -- Fujii Masao