Re: [HACKERS] FPW compression leaks information

Tue, 07 Jul 2015 06:22:57 -0700 

On 07/07/2015 04:15 PM, Stephen Frost wrote:

* Fujii Masao (masao.fu...@gmail.com) wrote:

On Thu, Apr 16, 2015 at 4:26 PM, Michael Paquier
<michael.paqu...@gmail.com> wrote:

+         the compression ratio of a full page image gives a hint of what is
+         the existing data of this page.  Tables that contain sensitive
+         information like <structname>pg_authid</structname> with password
+         data could be potential targets to such attacks. Note that as a
+         prerequisite a user needs to be able to insert data on the same page
+         as the data targeted and need to be able to detect checkpoint
+         presence to find out if a compressed full page write is included in
+         WAL to calculate the compression ratio of a page using WAL positions
+         before and after inserting data on the page with data targeted.
+        </para>
+       </warning>


I think that, in addition to the description of the risk, it's better to
say that this vulnerability is cumbersome to exploit in practice.

Attached is the updated version of the patch. Comments?


Personally, I don't like simply documenting this issue.  I'd much rather
we restrict the WAL info as it's really got no business being available
to the general public.  I'd be fine with restricting that information to
superusers when compression is enabled, or always, for 9.5 and then
fixing it properly in 9.6 by allowing it to be visible to a
"pg_monitoring" default role which admins can then grant to users who
should be able to see it.



Well, then you could still launch the same attack if you have the 
pg_monitoring privileges. So it would be more like a "monitoring and 
grab everyone's passwords" privilege ;-). Ok, in seriousness the attack 
isn't that easy to perform, but I still wouldn't feel comfortable giving 
that privilege to anyone who isn't a superuser anyway.



Yes, we'll get flak from people who are running with non-superuser
monitoring tools today, but we already have a bunch of superuser-only
things that monioring tools want, so this doesn't move the needle
particularly far, in my view.


That would be a major drawback IMHO, and a step in the wrong direction.

- Heikki



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers






















					Reply via email to