Skip site navigation (1) Skip section navigation (2)

Re: SECURITY: psql allows symlink games in /tmp

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: abartlet(at)pcug(dot)org(dot)au
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: SECURITY: psql allows symlink games in /tmp
Date: 2000-11-25 06:19:20
Message-ID: 200011250619.BAA09045@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Thanks for the pointer.  Here is a diff to fix the problem.  How does it
look to you?

> This code in psql/command.c allows *any* system user to place a
> predictably named symbolic link in /tmp and use it to alter/destroy
> files owned by the user running psql. (tested - postgresql 7.0.2).
> 
> All the information a potential attacker would need are available via a
> simple 'ps'.
> 
> It might (untested) also allow an another user to exploit the race
> between the closing of the file by the editor and the re-reading of its
> contents to execute arbitrary SQL commands.
> 
> IMHO these files, if they must be created in /tmp should at least be
> created O_EXCL, but there are still editor vulnerabilities with opening
> any files in a world writeable directory (see recent joe Vulnerability:
> http://lwn.net/2000/1123/a/sec-joe.php3)
> 
> My system is RedHat 6.2 on an i686, with Postgresql 7.0.2 but the same
> code currently exists in CVS (or at least CVS-web).
> 
> I am not subscribed to this list, so please CC me for replies.  (Also
> tell me if there is a more appropriate forum for this, but
> www.postgresql.org doesn't have a listed security issue address).
> -- 
> Andrew Bartlett
> abartlet(at)pcug(dot)org(dot)au
> 


-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

Responses

pgsql-hackers by date

Next:From: Andrew BartlettDate: 2000-11-25 06:46:05
Subject: Re: SECURITY: psql allows symlink games in /tmp
Previous:From: Bruce MomjianDate: 2000-11-25 04:58:40
Subject: Re: syslog output from explain looks weird...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group