Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb
| От | Nathan Bossart |
|---|---|
| Тема | Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb |
| Дата | |
| Msg-id | 20230717204744.GA890035@nathanxps13 обсуждение исходный текст |
| Ответ на | Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb (Nathan Bossart <nathandbossart@gmail.com>) |
| Ответы |
Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb
|
| Список | pgsql-hackers |
On Wed, Jun 28, 2023 at 10:24:09PM -0700, Nathan Bossart wrote:
> On Wed, Jun 28, 2023 at 09:20:03PM -0700, Gurjeet Singh wrote:
>> The comment on top of connect_utils.c:connectDatabase() seems pertinent:
>>
>>> (Callers should not pass
>>> * allow_password_reuse=true unless reconnecting to the same database+user
>>> * as before, else we might create password exposure hazards.)
>>
>> The callers of {cluster|reindex}_one_database() (which in turn call
>> connectDatabase()) clearly pass different database names in successive
>> calls to these functions. So the patch seems to be in conflict with
>> the recommendation in the comment.
>>
>> I'm not sure if the concern raised in that comment is a legitimate
>> one, though. I mean, if the password is reused to connect to a
>> different database in the same cluster/instance, which I think is
>> always the case with these utilities, the password will exposed in the
>> server logs (if at all). And since the admins of the instance already
>> have full control over the passwords of the user, I don't think this
>> patch will give them any more information than what they can get
>> anyways.
>>
>> It is a valid concern, though, if the utility connects to a different
>> instance in the same run/invocation, and hence exposes the password
>> from the first instance to the admins of the second cluster.
>
> The same commit that added this comment (ff402ae) also set the
> allow_password_reuse parameter to true in vacuumdb's connectDatabase()
> calls. I found a message from the corresponding thread that provides some
> additional detail [0]. I wonder if this comment should instead recommend
> against using the allow_password_reuse flag unless reconnecting to the same
> host/port/user target. Connecting to different databases with the same
> host/port/user information seems okay. Maybe I am missing something...
Here is a new version of the patch in which I've updated this comment as
proposed. Gurjeet, do you have any other concerns about this patch?
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
Вложения
В списке pgsql-hackers по дате отправления: