Re: Audit of logout

On Mon, Jun 23, 2014 at 5:42 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
> On Sat, Jun 21, 2014 at 12:59 PM, Joe Conway <mail(at)joeconway(dot)com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 06/13/2014 07:29 AM, Tom Lane wrote:
>>> Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
>>>> On Thu, Jun 12, 2014 at 8:51 PM, Fujii Masao
>>>> <masao(dot)fujii(at)gmail(dot)com> wrote:
>>>>> Some users enable log_disconnections in postgresql.conf to
>>>>> audit all logouts. But since log_disconnections is defined with
>>>>> PGC_BACKEND, it can be changed at connection start. This means
>>>>> that any client (even nonsuperuser) can freely disable
>>>>> log_disconnections not to log his or her logout even when the
>>>>> system admin enables it in postgresql.conf. Isn't this
>>>>> problematic for audit?
>>>
>>>> That's harmful for audit purpose. I think that we should make
>>>> log_disconnections PGC_SUSET rather than PGC_BACKEND in order to
>>>> forbid non-superusers from changing its setting. Attached patch
>>>> does this.
>>
>> This whole argument seems wrong unless I'm missing something:
>>
>> test=# set log_connections = on;
>> ERROR: parameter "log_connections" cannot be set after connection start
>> test=# set log_disconnections = off;
>> ERROR: parameter "log_disconnections" cannot be set after connection
>> start

Hmm... I found that you had marked this proposal as "Returned with Feedback".
But I don't think that we reached the consensus to do that. I think that it's
still worth discussing this topic in this CF. So I marked this as "Needs Review"
again.

If you strongly think that this proposal should be marked as
"Returned with Feedback", could you let me know why you think so?

Regards

--
Fujii Masao