Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>,Bernard <bht(at)actrix(dot)gen(dot)nz>, Oliver Jowett <oliver(at)opencloud(dot)com>,pgsql-bugs(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org
Subject: Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a
Date: 2005-08-19 14:00:04
Message-ID: 20050819140004.GC6226@svana.org (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-general
On Fri, Aug 19, 2005 at 09:15:52AM -0400, Stephen Frost wrote:
> Personally, I do like the idea of a user-level 'copy server-side files'
> permission that could be granted to reduce the need for things to run as
> superuser.  

There is one important point though: The server copying things is
seriously restricted. No matter how much authentication you do, the
server cannot *become* you. Hence it cannot access your files unless
they are world readable.

For similar reasons, it cannot prevent the user from accessing the
postgresql system files since it *is* the postgresql user and that
cannot be changed. The UNIX way around this would be for the client to
open the file with its permissions and then pass the FD to the server.
But that's a rather interesting twist that only works on local sockets.

> I'd probably still set up a SECURITY DEFINER function to a
> user with those permissions as an additional layer of security but it'd
> be nice to not have to run the function as superuser.

Superuser is still limited by the system uid, that can't be changed.

> It is, of course, good to note that current Postgres 'md5' auth method
> usage means that a compromise of pg_shadow (pg_authid) gives the
> attacker superuser access immediately (the hash itself is the actual
> authentication token, the password isn't actually interesting in that
> case).

It's a compromise solution. Normal authentication (aka shadow file):
server has only hash but password is in clear over the wire. MD5 auth:
server knows the password (or enough to spoof) but it's not in the
clear over the wire. Pick your poison...

For true security use public key auth (certificates / keys / etc).

Have a nice day,
-- 
Martijn van Oosterhout   <kleptog(at)svana(dot)org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2005-08-19 14:14:23
Subject: Re: BUG #1835: pg_trigger_tgrelid_tgname_index
Previous:From: Greg Sabino MullaneDate: 2005-08-19 13:56:39
Subject: Re: BUG #1831: plperl gives error after reconnect.

pgsql-general by date

Next:From: Nigel HorneDate: 2005-08-19 14:15:44
Subject: Re: Stored functions
Previous:From: Tom LaneDate: 2005-08-19 13:56:36
Subject: Re: Stored functions

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group