On Thu, Jun 12, 2014 at 8:51 PM, Fujii Masao <masao.fu...@gmail.com> wrote:
> Hi,
>
> Some users enable log_disconnections in postgresql.conf to audit all logouts.
> But since log_disconnections is defined with PGC_BACKEND, it can be changed
> at connection start. This means that any client (even nonsuperuser) can freely
> disable log_disconnections not to log his or her logout even when the
> system admin
> enables it in postgresql.conf. Isn't this problematic for audit?
That's harmful for audit purpose. I think that we should make
log_disconnections PGC_SUSET rather than PGC_BACKEND in order
to forbid non-superusers from changing its setting. Attached
patch does this.
Also defining log_disconnections with PGC_BACKEND itself seems strange.
Since it's used only at connection termination, there seems to be
no need to fix its setting value at connection startup. No? OTOH,
for example, log_connections and post_auth_delay are defined with
PGC_BACKEND and their settings can be changed only at connection startup.
This seems intuitive because they are used only at connection
startup and it's useless to change their settings after that. But
the situation of log_disconnections seems different from them.
Am I missing something?
One concern is; the patch may break the existing application if it
relies on the current behavior of log_disconnections. But I'm
wondering if such applications really exist.
Thought?
Regards,
--
Fujii Masao
From d3e6db1516a8cbb557e38a56b26c34ed7e51d9e1 Mon Sep 17 00:00:00 2001
From: MasaoFujii <masao.fu...@gmail.com>
Date: Fri, 13 Jun 2014 22:09:39 +0900
Subject: [PATCH] Make log_disconnections PGC_SUSET rather than PGC_BACKEND.
So far even non-superusers could disable log_disconnections in order to
prevent their session logout from being logged because the parameter was
defined with PGC_BACKEND. This was harmful in the systems which need to
audit all session logouts by using log_disconnections. For this problem,
this commit changes the GUC context of log_disconnections to PGC_SUSET
and forbids non-superuser from changing its setting.
---
doc/src/sgml/config.sgml | 2 +-
src/backend/utils/misc/guc.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 697cf99..184d864 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -4234,7 +4234,7 @@ local0.* /var/log/postgresql
<varname>log_connections</varname> but at session termination,
and includes the duration of the session. This is off by
default.
- This parameter cannot be changed after session start.
+ Only superusers can change this setting.
</para>
</listitem>
</varlistentry>
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 1d094f0..7c84c9f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -922,7 +922,7 @@ static struct config_bool ConfigureNamesBool[] =
NULL, NULL, NULL
},
{
- {"log_disconnections", PGC_BACKEND, LOGGING_WHAT,
+ {"log_disconnections", PGC_SUSET, LOGGING_WHAT,
gettext_noop("Logs end of a session, including duration."),
NULL
},
--
1.7.1
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
