On 2020-Oct-17, Julien Rouhaud wrote: > On Sat, Oct 17, 2020 at 12:23 AM Tom Lane <t...@sss.pgh.pa.us> wrote:
> > then there's a potential security issue if the GUC is USERSET level: > > a user could hide her queries from pg_stat_statement by turning the > > GUC off. So this line of thought suggests the GUC needs to be at > > least SUSET, and maybe higher ... doesn't pg_stat_statement need it > > to have the same value cluster-wide? > > Well, I don't think that there's any guarantee that pg_stat_statemens > will display all activity that has been run, since there's a limited > amount of (userid, dbid, queryid) that can be stored, but I agree that > allowing random user to hide their activity isn't nice. Note that I > defined the GUC as SUSET, but maybe it should be SIGHUP? I don't think we should consider pg_stat_statement a bulletproof defense for security problems. It is already lossy by design. I do think it'd be preferrable if we allowed it to be disabled at the config file level only, not with SET (prevent users from hiding stuff); but I think it is useful to allow users to enable it for specific queries or for specific sessions only, while globally disabled. This might mean we need to mark it PGC_SIGHUP and then have the check hook disallow it from being changed under such-and-such conditions.
