Re: Audit of logout

On Thu, Jun 12, 2014 at 8:51 PM, Fujii Masao <masao.fujii@gmail.com> wrote:
> Hi,
>
> Some users enable log_disconnections in postgresql.conf to audit all logouts.
> But since log_disconnections is defined with PGC_BACKEND, it can be changed
> at connection start. This means that any client (even nonsuperuser) can freely
> disable log_disconnections not to log his or her logout even when the
> system admin
> enables it in postgresql.conf. Isn't this problematic for audit?

That's harmful for audit purpose. I think that we should make
log_disconnections PGC_SUSET rather than PGC_BACKEND in order
to forbid non-superusers from changing its setting. Attached
patch does this.

Also defining log_disconnections with PGC_BACKEND itself seems strange.
Since it's used only at connection termination, there seems to be
no need to fix its setting value at connection startup. No? OTOH,
for example, log_connections and post_auth_delay are defined with
PGC_BACKEND and their settings can be changed only at connection startup.
This seems intuitive because they are used only at connection
startup and it's useless to change their settings after that. But
the situation of log_disconnections seems different from them.
Am I missing something?

One concern is; the patch may break the existing application if it
relies on the current behavior of log_disconnections. But I'm
wondering if such applications really exist.

Thought?

Regards,

--
Fujii Masao