Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb
От | Nathan Bossart |
---|---|
Тема | Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb |
Дата | |
Msg-id | 20230717204744.GA890035@nathanxps13 обсуждение исходный текст |
Ответ на | Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb (Nathan Bossart <nathandbossart@gmail.com>) |
Ответы |
Re: harmonize password reuse in vacuumdb, clusterdb, and reindexdb
|
Список | pgsql-hackers |
On Wed, Jun 28, 2023 at 10:24:09PM -0700, Nathan Bossart wrote: > On Wed, Jun 28, 2023 at 09:20:03PM -0700, Gurjeet Singh wrote: >> The comment on top of connect_utils.c:connectDatabase() seems pertinent: >> >>> (Callers should not pass >>> * allow_password_reuse=true unless reconnecting to the same database+user >>> * as before, else we might create password exposure hazards.) >> >> The callers of {cluster|reindex}_one_database() (which in turn call >> connectDatabase()) clearly pass different database names in successive >> calls to these functions. So the patch seems to be in conflict with >> the recommendation in the comment. >> >> I'm not sure if the concern raised in that comment is a legitimate >> one, though. I mean, if the password is reused to connect to a >> different database in the same cluster/instance, which I think is >> always the case with these utilities, the password will exposed in the >> server logs (if at all). And since the admins of the instance already >> have full control over the passwords of the user, I don't think this >> patch will give them any more information than what they can get >> anyways. >> >> It is a valid concern, though, if the utility connects to a different >> instance in the same run/invocation, and hence exposes the password >> from the first instance to the admins of the second cluster. > > The same commit that added this comment (ff402ae) also set the > allow_password_reuse parameter to true in vacuumdb's connectDatabase() > calls. I found a message from the corresponding thread that provides some > additional detail [0]. I wonder if this comment should instead recommend > against using the allow_password_reuse flag unless reconnecting to the same > host/port/user target. Connecting to different databases with the same > host/port/user information seems okay. Maybe I am missing something... Here is a new version of the patch in which I've updated this comment as proposed. Gurjeet, do you have any other concerns about this patch? -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Вложения
В списке pgsql-hackers по дате отправления: