Exposure related to GUC value of ssl_passphrase_command

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Exposure related to GUC value of ssl_passphrase_command

Moon, Insung-2
Deal Hackers.

The value of ssl_passphrase_command is set so that an external command
is called when the passphrase for decrypting an SSL file such as a
private key is obtained.
Therefore, easily set to work with echo "passphrase" or call to
another get of passphrase application.

I think that this GUC value doesn't contain very sensitive data,
but just in case, it's dangerous to be visible to all users.
I think do not possible these cases, but if a used echo external
commands or another external command,  know what application used to
get the password, maybe we can't be convinced that there's the safety
of using abuse by backtracking on applications.
So I think to the need only superusers or users with the default role
of pg_read_all_settings should see these values.

Patch is very simple.
How do you think about my thoughts like this?

Best regards.
Moon.

Change-show-authority-of-ssl_passphrase_command.diff (628 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Exposure related to GUC value of ssl_passphrase_command

Amit Langote
Hello.

On Tue, Nov 5, 2019 at 5:15 PM Moon, Insung <[hidden email]> wrote:

> Deal Hackers.
>
> The value of ssl_passphrase_command is set so that an external command
> is called when the passphrase for decrypting an SSL file such as a
> private key is obtained.
> Therefore, easily set to work with echo "passphrase" or call to
> another get of passphrase application.
>
> I think that this GUC value doesn't contain very sensitive data,
> but just in case, it's dangerous to be visible to all users.
> I think do not possible these cases, but if a used echo external
> commands or another external command,  know what application used to
> get the password, maybe we can't be convinced that there's the safety
> of using abuse by backtracking on applications.
> So I think to the need only superusers or users with the default role
> of pg_read_all_settings should see these values.
>
> Patch is very simple.
> How do you think about my thoughts like this?

I'm hardly an expert on this topic, but reading this blog post about
ssl_passphrase_command:

https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/

which mentions that some users might go with the very naive
configuration such as:

ssl_passphrase_command = 'echo "secret"'

maybe it makes sense to protect its value from everyone but superusers.

So +1.

Thanks,
Amit