Re: POC: Carefully exposing information without authentication

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Antonin Houska <[email protected]>
To: Greg Sabino Mullane <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: POC: Carefully exposing information without authentication
Date: Fri, 09 Jan 2026 14:56:38 +0100
Message-ID: <11894.1767966998@localhost> (raw)
In-Reply-To: <CAKAnmmKxP7bOO7QOLdSk8dYoUxFRus2XC1nEbk6En9GgV_4JbA@mail.gmail.com>
References: <CAKAnmm+T-CEDLmRezWfH-7ZEsFfD_kU2KY1TgB288K+wprB_4Q@mail.gmail.com>
	<21076.1748617331@localhost>
	<CAKAnmmJ77jeYZGXPBxb75U52ojNRUoKd6Za-T26xNPCouUeV8g@mail.gmail.com>
	<[email protected]>
	<CAKAnmm+RQbLFv1F35ZTRZfMRigwN0LN0KKRocLLpwSshBTZxvg@mail.gmail.com>
	<CAKAnmmLdrvdCMbAQbfiWY3q=zv+-11zZk+jweTRVCJrNL=aD4A@mail.gmail.com>
	<CAKAnmmKxP7bOO7QOLdSk8dYoUxFRus2XC1nEbk6En9GgV_4JbA@mail.gmail.com>

Greg Sabino Mullane <[email protected]> wrote:

> Version 4 attached, rebased to account for new tests, plus a new instra-test
> check to make sure LWP::UserAgent is available before running.

I'm still not sure it's necessary to handle the problem at socket level. I
imagine it can be implemented this way:

1. Add a new field to the PGconn structure, indicating that the client is only
requesting the server status information, and adjust pg_isready so it sets
this option.

2. Adjust libpq frontend (pqBuildStartupPacket3) so it adds the corresponding
option to the startup packet.

3. On server, if ProcessStartupPacket() sees that option, call ereport(FATAL)
with a specific error code, and let the appropriate GUCs control the contents
of the error message. pg_isready would then just print out the message.

I haven't tried to write any code, so it's possible that I'm missing
something.

Regarding configuration, I'd prefer a single GUC. The value can be a
comma-separated list of keywords, each representing particular piece of
information to be exposed.

-- 
Antonin Houska
Web: https://www.cybertec-postgresql.com

view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: POC: Carefully exposing information without authentication
  In-Reply-To: <11894.1767966998@localhost>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox