On 01/21/2014 07:22 AM, Harold Giménez wrote:
First of all, I apologize for submitting a patch and missing the commitfest
deadline. Given the size of the patch, I thought I'd submit it for your
consideration regardless.
This patch prevents non-superusers from viewing other user's
pg_stat_activity.application_name. This topic was discussed some time ago
[1] and consequently application_name was made world readable [2].
I would like to propose that we hide it instead by reverting to the
original behavior. There is a very large number of databases on the same
cluster shared across different users who can easily view each other's
application_name values. Along with that, there are some libraries that
default application_name to the name of the running process [3], which can
leak information about what web servers applications are running, queue
systems, etc. Furthermore leaking application names in a multi-tenant
environment is more information than an attacker should have access to on
services like Heroku and other similar providers.
I don't find these arguments compelling to change it now. It's
well-documented that application_name is visible to everyone. Just don't
put sensitive information there.
For those users that don't mind advertising application_name, the patch
would be highly inconvenient. For example, the database owner could no
longer see the application_name of other users connected to her database.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers