Re: random() (was Re: New GUC to sample log queries)
Thomas Munro <thomas.munro@enterprisedb.com>
From: Thomas Munro <thomas.munro@enterprisedb.com>
To: Peter Geoghegan <pg@bowt.ie>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Michael Paquier <michael@paquier.xyz>, Alvaro Herrera <alvherre@2ndquadrant.com>,
Adrien Nayrat <adrien.nayrat@anayrat.info>, Dmitry Dolgov <9erthalion6@gmail.com>,
Tomas Vondra <tomas.vondra@2ndquadrant.com>, Vik Fearing <vik.fearing@2ndquadrant.com>,
Robert Haas <robertmhaas@gmail.com>, David Rowley <david.rowley@2ndquadrant.com>,
Pg Hackers <pgsql-hackers@postgresql.org>
Date: 2018-12-27T04:55:16Z
Lists: pgsql-hackers
On Thu, Dec 27, 2018 at 3:55 PM Peter Geoghegan <pg@bowt.ie> wrote: > On Wed, Dec 26, 2018 at 6:39 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > The point here is not to be cryptographically strong at every single > > place where the backend might want a random number; I think we're > > all agreed that we don't need that. To me, the point is to ensure that > > the user-accessible random sequence is kept separate from internal uses, > > and the potential security exposure in the new random-logging patch is > > what justifies getting more worried about this than we were before. > > I agree that that's the point here. +1, but I wonder if just separating them is enough. Is our seeding algorithm good enough for this new purpose? The initial seed is 100% predictable to a logged in user (it's made from the backend PID and backend start time, which we tell you), and not even that hard to guess from the outside, so I think Coverity's warning is an understatement in this case. Even if we separate the PRNG state used for internal stuff so that users can't clobber its seed from SQL, wouldn't it be possible to predict which statements will survive the log sampling filter given easily available information and a good guess at how many times random() (or whatever similar thing) has been called so far? > > Now, we could probably fix that with some less intrusive patch than > > #define'ing random() --- in particular, if we give drandom and setseed > > their own private PRNG state, we've really fixed the security exposure > > without need to change anything else anywhere. So maybe we should > > just do that and be happy. > > +1. I don't like the idea of #define'ing random() myself. +1, me neither. -- Thomas Munro http://www.enterprisedb.com
Commits
-
Use pg_strong_random() to select each server process's random seed.
- 4203842a1cd0 12.0 landed
-
Use a separate random seed for SQL random()/setseed() functions.
- 6645ad6bdd81 12.0 landed
-
Marginal performance hacking in erand48.c.
- 6b9bba2df8d4 12.0 landed
-
Fix latent problem with pg_jrand48().
- e09046641114 12.0 landed
- f256995e33d2 10.7 landed
- d58e01f8abe2 11.2 landed
-
Silence compiler warning
- 9dc122585551 12.0 landed
-
Add log_statement_sample_rate parameter
- 88bdbd3f7460 12.0 landed