- Notifications
You must be signed in to change notification settings - Fork28
Commit6645ad6
committed
Use a separate random seed for SQL random()/setseed() functions.
Previously, the SQL random() function depended on libc's random(3),and setseed() invoked srandom(3). This results in interference betweenthese functions and backend-internal uses of random(3). We'd never paidtoo much mind to that, but in the wake of commit88bdbd3 which addedlog_statement_sample_rate, the interference arguably has a securityconsequence: if log_statement_sample_rate is active then an unprivilegeduser could probably control which if any of his SQL commands get logged,by issuing setseed() at the right times. That seems bad.To fix this reliably, we need random() and setseed() to use their ownprivate random state variable. Standard random(3) isn't amenable to suchusage, so let's switch to pg_erand48(). It's hard to say whether that'smore or less "random" than any particular platform's version of random(3),but it does have a wider seed value and a longer period than are requiredby POSIX, so we can hope that this isn't a big downgrade. Also, we shouldnow have uniform behavior of random() across platforms, which is worthsomething.While at it, upgrade the per-process seed initialization method to usepg_strong_random() if available, greatly reducing the predictabilityof the initial seed value. (I'll separately do something similar forthe internal uses of random().)In addition to forestalling the possible security problem, this has abenefit in the other direction, which is that we can now documentsetseed() as guaranteeing a reproducible sequence of random() values.Previously, because of the possibility of internal calls of random(3),we could not promise any such thing.Discussion:https://postgr.es/m/3859.1545849900@sss.pgh.pa.us1 parent1a4eba4 commit6645ad6
2 files changed
+53
-13
lines changedLines changed: 9 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1136 | 1136 | | |
1137 | 1137 | | |
1138 | 1138 | | |
1139 | | - | |
1140 | | - | |
1141 | | - | |
1142 | | - | |
1143 | | - | |
| 1139 | + | |
| 1140 | + | |
| 1141 | + | |
| 1142 | + | |
| 1143 | + | |
| 1144 | + | |
| 1145 | + | |
| 1146 | + | |
| 1147 | + | |
1144 | 1148 | | |
1145 | 1149 | | |
1146 | 1150 | | |
| |||
Lines changed: 44 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
| 25 | + | |
25 | 26 | | |
| 27 | + | |
26 | 28 | | |
27 | 29 | | |
28 | 30 | | |
| 31 | + | |
29 | 32 | | |
30 | 33 | | |
31 | 34 | | |
| |||
53 | 56 | | |
54 | 57 | | |
55 | 58 | | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
56 | 63 | | |
57 | 64 | | |
58 | 65 | | |
| |||
2378 | 2385 | | |
2379 | 2386 | | |
2380 | 2387 | | |
2381 | | - | |
2382 | | - | |
| 2388 | + | |
| 2389 | + | |
| 2390 | + | |
| 2391 | + | |
| 2392 | + | |
| 2393 | + | |
| 2394 | + | |
| 2395 | + | |
| 2396 | + | |
| 2397 | + | |
| 2398 | + | |
| 2399 | + | |
| 2400 | + | |
| 2401 | + | |
| 2402 | + | |
| 2403 | + | |
| 2404 | + | |
| 2405 | + | |
| 2406 | + | |
| 2407 | + | |
| 2408 | + | |
| 2409 | + | |
| 2410 | + | |
| 2411 | + | |
2383 | 2412 | | |
2384 | 2413 | | |
2385 | 2414 | | |
| |||
2392 | 2421 | | |
2393 | 2422 | | |
2394 | 2423 | | |
2395 | | - | |
| 2424 | + | |
2396 | 2425 | | |
2397 | | - | |
2398 | | - | |
2399 | | - | |
2400 | | - | |
2401 | | - | |
| 2426 | + | |
| 2427 | + | |
| 2428 | + | |
| 2429 | + | |
| 2430 | + | |
| 2431 | + | |
| 2432 | + | |
| 2433 | + | |
| 2434 | + | |
| 2435 | + | |
| 2436 | + | |
| 2437 | + | |
2402 | 2438 | | |
2403 | 2439 | | |
2404 | 2440 | | |
| |||
0 commit comments
Comments
(0)