Re: pgsql: Keep pg_stat_statements' query texts in a file, not in shared me

On 01/27/2014 08:23 PM, Tom Lane wrote:
> Peter Geoghegan <pg(at)heroku(dot)com> writes:
>> On Mon, Jan 27, 2014 at 5:12 PM, KONDO Mitsumasa
>> <kondo(dot)mitsumasa(at)lab(dot)ntt(dot)co(dot)jp> wrote:
>>> This patch has security problem that root can easily see the statement file
>>> in database cluster.
>> By default, we always serialize statements along with their query
>> texts to disk on shutdown. Until May of 2012, pg_stat_statements
>> didn't bother unlinking on startup, and so the file with query texts
>> was always on the PGDATA filesystem. What's the difference?
> Root can certainly also look at query texts in shared memory, or for that
> matter in the local memory of any process. So can anybody else running as
> the postgres userid.
>
> Also, current query texts are probably less interesting to an intruder
> than the contents of the database itself, which is stored in the same
> directory tree with the same permissions (0600) as the query-text file.
>
> So I'm failing to detect any incremental increase in risk here. Anybody
> who can read that file can already do pretty much whatever he wants with
> either the server processes or the database contents.
>
>

The query texts are particularly uninteresting since I assume the data
values in the query have already been mostly dissolved away by
pg_stat_statements.

cheers

andrew