On Sun, Dec 23, 2012 at 02:49:08PM -0500, Tom Lane wrote: > Noah Misch <n...@leadboat.com> writes: > > On Sat, Dec 22, 2012 at 02:20:56PM -0500, Tom Lane wrote: > >> #ifdef USE_SSL > >> if (EnableSSL) > >> { > >> struct timeval tv; > >> > >> gettimeofday(&tv, NULL); > >> RAND_add(&tv, sizeof(tv), 0); > >> } > >> #endif > > > Take the caution one step further and make it independent of EnableSSL. In > > a > > stock installation, a !EnableSSL postmaster will never seed its PRNG, and > > there's no vulnerability. Add a shared_preload_libraries module that uses > > the > > OpenSSL PRNG in its _PG_init(), and suddenly you're vulnerable again. > > Meh. In a postmaster that wasn't built with SSL support at all, such > a module is still dangerous (and I'm not convinced anybody would build > such a module anyway). I think we should confine our ambitions to > preventing security issues caused by our own code.
You're adding lines of code to prematurely micro-optimize the backend fork cycle. If code introduced into the postmaster, by us or others, ever violates the assumption behind that micro-optimization, certain users get a precipitous loss of security with no clear alarm bells. I don't like that trade. nm -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers