On 01/27/2014 08:23 PM, Tom Lane wrote:
> Peter Geoghegan <pg@heroku.com> writes:
>> On Mon, Jan 27, 2014 at 5:12 PM, KONDO Mitsumasa
>> <kondo.mitsumasa@lab.ntt.co.jp> wrote:
>>> This patch has security problem that root can easily see the statement file
>>> in database cluster.
>> By default, we always serialize statements along with their query
>> texts to disk on shutdown. Until May of 2012, pg_stat_statements
>> didn't bother unlinking on startup, and so the file with query texts
>> was always on the PGDATA filesystem. What's the difference?
> Root can certainly also look at query texts in shared memory, or for that
> matter in the local memory of any process. So can anybody else running as
> the postgres userid.
>
> Also, current query texts are probably less interesting to an intruder
> than the contents of the database itself, which is stored in the same
> directory tree with the same permissions (0600) as the query-text file.
>
> So I'm failing to detect any incremental increase in risk here. Anybody
> who can read that file can already do pretty much whatever he wants with
> either the server processes or the database contents.
>
>
The query texts are particularly uninteresting since I assume the data
values in the query have already been mostly dissolved away by
pg_stat_statements.
cheers
andrew