Nigel J. Andrews wrote:
> On Wed, 28 Aug 2002, Alvaro Herrera wrote:
> > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> > Thank you. Patch attached. Note that it also checks group access; I think
> > that is desired as well.
> + /* If password file is insecure, alert the user and ignore it. */
> + if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
> Should there also be a S_IFREG check to make sure no one is trying any other
> tricks? I'm not sure of what an exploit would be but for the sake of paranoia
> it seems a cheap test.
> I take it no one wants to start checking directory tree permissions etc.
They may want a symlink to point to somewhere else. I can see that. In
fact, I can see settings for Unix group sharing a password file but I am
not going to suggest loosening the group permissions until someone says
they want that.
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
In response to
pgsql-patches by date
|Next:||From: Bruce Momjian||Date: 2002-08-29 21:45:56|
|Subject: Re: fix for palloc() of user-supplied length|
|Previous:||From: Bruce Momjian||Date: 2002-08-29 21:02:25|
|Subject: Re: Superuser Reserved Backend Slots - TODO item|
pgsql-general by date
|Next:||From: Andrew Sullivan||Date: 2002-08-29 21:44:00|
|Subject: Re: [Pgreplication-general] Master/Slave is in town!|
|Previous:||From: Nigel J. Andrews||Date: 2002-08-29 21:01:55|
|Subject: Re: [GENERAL] worried about PGPASSWORD drop|