Re: Exposure related to GUC value of ssl_passphrase_command

Amit Langote <amitlangote09@gmail.com>

From: Amit Langote <amitlangote09@gmail.com>
To: "Moon, Insung" <tsukiwamoon.pgsql@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2019-11-08T07:24:10Z
Lists: pgsql-hackers
Hello.

On Tue, Nov 5, 2019 at 5:15 PM Moon, Insung <tsukiwamoon.pgsql@gmail.com> wrote:
> Deal Hackers.
>
> The value of ssl_passphrase_command is set so that an external command
> is called when the passphrase for decrypting an SSL file such as a
> private key is obtained.
> Therefore, easily set to work with echo "passphrase" or call to
> another get of passphrase application.
>
> I think that this GUC value doesn't contain very sensitive data,
> but just in case, it's dangerous to be visible to all users.
> I think do not possible these cases, but if a used echo external
> commands or another external command,  know what application used to
> get the password, maybe we can't be convinced that there's the safety
> of using abuse by backtracking on applications.
> So I think to the need only superusers or users with the default role
> of pg_read_all_settings should see these values.
>
> Patch is very simple.
> How do you think about my thoughts like this?

I'm hardly an expert on this topic, but reading this blog post about
ssl_passphrase_command:

https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/

which mentions that some users might go with the very naive
configuration such as:

ssl_passphrase_command = 'echo "secret"'

maybe it makes sense to protect its value from everyone but superusers.

So +1.

Thanks,
Amit



Commits

  1. Mark ssl_passphrase_command as GUC_SUPERUSER_ONLY.