On Tue, Jul 7, 2015 at 6:03 PM, Peter Eisentraut <peter_e@gmx.net> wrote:
On 7/2/15 3:29 PM, Magnus Hagander wrote: > On Thu, Jul 2, 2015 at 5:40 PM, Peter Eisentraut <peter_e@gmx.net > <mailto:peter_e@gmx.net>> wrote: > > On 6/10/15 2:17 AM, Magnus Hagander wrote: > > AIUI that one was just about the DN field, and not about the rest. If I > > understand you correctly, you are referring to the whole thing, not just > > one field? > > I think at least the DN field shouldn't be visible to unprivileged > users. > > What's the argument for that? I mean, the DN field is the equivalent of > the username, and we show the username in pg_stat_activity already. Are > you envisioning a scenario where there is actually something secret in > the DN?
I think the DN is analogous to the remote user name, which we don't expose for any of the other authentication methods. > Actually, I think the whole view shouldn't be accessible to unprivileged > users, except maybe your own row. > > > I could go for some of the others if we think there's reason, but I > don't understand the dn part? > > I guess there's some consistency in actually blocking exactly everything...
I think the default approach for security and authentication related information should be conservative, even if there is not a specific reason. Or to put it another way: What is the motivation for showing this information at all?
To make it accessible to monitoring systems that don't run as superuser (which should be most monitoring systems, but we have other cases making that hard as has already been mentioned upthread).
I'm having a hard time trying to figure out a consensus in this thread. I think there are slightly more arguments for limiting the access though.
The question then is, if we want to hide everything, do we care about doing the "NULL dance", or should we just throw an error for non-superusers trying to access it?