Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsRDI-001BX7-03 for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Feb 2026 19:58:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vsRDH-00BsbL-0R for pgsql-hackers@arkaria.postgresql.org; Tue, 17 Feb 2026 19:58:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vsRDG-00BsbB-2J for pgsql-hackers@lists.postgresql.org; Tue, 17 Feb 2026 19:58:26 +0000 Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vsRDD-000000016he-3vRI for pgsql-hackers@lists.postgresql.org; Tue, 17 Feb 2026 19:58:25 +0000 Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfout.phl.internal (Postfix) with ESMTP id 11427EC0569; Tue, 17 Feb 2026 14:58:24 -0500 (EST) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Tue, 17 Feb 2026 14:58:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1771358304; x=1771444704; bh=GTfbuARaE8 gJ1Rz7g42pVQmUh7Nu65MsXLGAymPNrsU=; b=QM6GE35y25vLoFQPxmJBExRpps Z/XpvA4L5NZBuIvNVNGpEZb18yNp6yKkHpRe6vDB2drM0qWeWse5UfyYe+ZgTbWB MM5qn7zl87QxnhIpAZX0TZqVTsiLd4oxBYwh2+lGmu/Z73rFSMX2PVfyFLY1DyjQ p7Ytq/QiwxOBD2HX/TomKneWNxnvem1F7+WfQ4OQSG4AthT/dWPyw+jdI3iBNnF3 2tSioJVlcinf395E2WSpNpFOVCoRie617Xuh0pr5aP2nP6tLELk07A0i5NpGs/yR YsubrjkoxZYuf1+Md1G8LvcJZ5QWztnMt045h+VbwVaC8UTZdcgC3MrMNpwQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1771358304; x=1771444704; bh=GTfbuARaE8gJ1Rz7g42pVQmUh7Nu65MsXLG AymPNrsU=; b=COzYJxM1mENilE/5NYLpIbh9F8qYksVLNRnS8lMeO5ZzES/m9yI L3xXVE7fHBNLUiV1W3JhM+5UAhyt863FZObq5j6mB6UfKclMcOByCTZycCSDgL6L t0YVOlnC3aU3Nk7/T175+gxS2N2cFowyDSGloX7mJvtT0tixoEVmjIoZ+79DO5Qr 9wYLprhcla4+nY+BQ5xkyKm7qfW2uwgIZHDIEeVOR5IDtZ0a5bCtp/WDGUYRNAXi Z5TctpcLcVRNYCiETVWWKNrCsHm7lNtzUNQIbfEQW8WDWwfajwcP2HsyEN2v+I0e FBcPHhvpE5sDrfFE0lIfT96fxJXtRlF8PpQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvvddtieeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhepfffhvfevuffkfhggtggujgesthdtsfdttddtvdenucfhrhhomheptehnughrvghs ucfhrhgvuhhnugcuoegrnhgurhgvshesrghnrghrrgiivghlrdguvgeqnecuggftrfgrth htvghrnhepfeffgfelvdffgedtveelgfdtgefghfdvkefggeetieevjeekteduleevjefh ueegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprg hnughrvghssegrnhgrrhgriigvlhdruggvpdhnsggprhgtphhtthhopeegpdhmohguvgep shhmthhpohhuthdprhgtphhtthhopegrhhestgihsggvrhhtvggtrdgrthdprhgtphhtth hopehhthgrmhhfihgushesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhh rggtkhgvrhhssehlihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrghdprhgtphhtthhope htghhlsehsshhsrdhpghhhrdhprgdruhhs X-ME-Proxy: Feedback-ID: id4a34324:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 17 Feb 2026 14:58:23 -0500 (EST) Date: Tue, 17 Feb 2026 14:58:22 -0500 From: Andres Freund To: Greg Sabino Mullane Cc: Antonin Houska , Tom Lane , "pgsql-hackers@lists.postgresql.org" Subject: Re: POC: Carefully exposing information without authentication Message-ID: References: <21076.1748617331@localhost> <2724612.1748655287@sss.pgh.pa.us> <11894.1767966998@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On 2026-02-17 14:42:48 -0500, Greg Sabino Mullane wrote: > Subject: [PATCH] Allow specific information to be output directly by Postgres. I strongly encourage you to include a justification for why this is desirable, so a casual reviewer doesn't have to reread the thread. > @@ -148,6 +172,14 @@ BackendInitialize(ClientSocket *client_sock, CAC_state cac) > StringInfoData ps_data; > MemoryContext oldcontext; > > + /* > + * Scan for a simple GET / HEAD request. If this is detected and > + * handled, we are done and can immediately exit > + */ > + if ((expose_recovery || expose_sysid || expose_version) > + && ExposeInformation(client_sock->sock)) > + _exit(0); /* Safe to use exit: no state or resources created yet */ > + > /* Tell fd.c about the long-lived FD associated with the client_sock */ > ReserveExternalFD(); > What about direct TLS connections? How can a cluster coordinator trust unauthenticated plain text communication that can just be man-in-the-middled? It's not obvious that it's a good idea to expose this on the same socket as normal client connections. IMO you'd want to limit this to a smaller set of interfaces than normal client connections. > +/* > + * ExposeInformation > + * > + * Handle early socket probe before full backend startup. > + * Responds to small set of predefined endpoints (e.g. GET /info) > + * > + * Requires at least one "expose_" GUC to be true. > + * > + * Returns true if any endpoint is recognized. > + */ > + > +static bool > +ExposeInformation(pgsocket fd) > +{ > + static endpoint_action endpoint_actions[] = > + { > + { > + "HEAD /replica", &expose_recovery, EXPOSE_HEAD_REPLICA > + }, > + { > + "GET /replica", &expose_recovery, EXPOSE_GET_REPLICA > + }, > + { > + "GET /sysid", &expose_sysid, EXPOSE_GET_SYSID > + }, > + { > + "GET /version", &expose_version, EXPOSE_GET_VERSION > + }, > + { > + "GET /info", NULL, EXPOSE_GET_ALL > + } > + }; > + > + ssize_t n; > + char buf[EXPOSE_MAX_QUERY + 1]; > + ExposeReturnType type; > + > + Assert(expose_recovery || expose_sysid || expose_version); > + > + do > + { > + n = recv(fd, buf, EXPOSE_MAX_QUERY, MSG_PEEK); > + } while (n < 0 && errno == EINTR); > > + /* > + * Leave as soon as possible if no chance we are interested. > + * (we also leave on partial reads from slow clients) > + * We also simply return false for n == -1 > + */ > + if (n < EXPOSE_MIN_QUERY) > + return false; IIRC the socket is in blocking mode at this point (that's only changed in pq_init()), therefore this might actually block? While it's unlikely, I don't see any guarantee that a single receive would actually get the whole message from the client either, so this seems like it might fail spuriously. > diff --git a/src/backend/utils/misc/guc_parameters.dat b/src/backend/utils/misc/guc_parameters.dat > index 271c033952e..3e99d9f6b7c 100644 > --- a/src/backend/utils/misc/guc_parameters.dat > +++ b/src/backend/utils/misc/guc_parameters.dat > @@ -1010,6 +1010,25 @@ > boot_val => 'false', > }, > > +{ name => 'expose_recovery', type => 'bool', context => 'PGC_SIGHUP', group => 'CONN_AUTH_AUTH', > + short_desc => 'Exposes if the server is in recovery mode without a login.', > + variable => 'expose_recovery', > + boot_val => 'false', > +}, > + > +{ name => 'expose_sysid', type => 'bool', context => 'PGC_SIGHUP', group => 'CONN_AUTH_AUTH', > + short_desc => 'Exposes the system identifier without a login.', > + variable => 'expose_sysid', > + boot_val => 'false', > +}, > + > +{ name => 'expose_version', type => 'bool', context => 'PGC_SIGHUP', group => 'CONN_AUTH_AUTH', > + short_desc => 'Exposes the server version without a login.', > + variable => 'expose_version', > + boot_val => 'false', > +}, > + If we were to do this, I'd recommend a single expose GUC that has the different values as a comma separated list, instead a growing list of GUCs. Greetings, Andres Freund