| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | K(dot)Reger(at)twc(dot)de |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: import/export of large objects on server-side |
| Date: | 2001-11-16 15:29:27 |
| Message-ID: | 26022.1005924567@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Klaus Reger" <K(dot)Reger(at)twc(dot)de> writes:
> I've made a patch, that introduces an entry in the PostgreSQL-config file.
> You can set a drirectory, where all imports/exports can happen. If nothing
> is set (the default), no imports/exports on the server-side are allowed.
> To enhance the security, no reading/writung is allowed from/to non-regular
> files (block-devs, symlinks, etc.)
This is trivially defeatable, assuming that the "import/export"
directory is world writable (if it isn't, importing will be tough).
Example: say imp/exp directory is
/var/spool/impexp
Bad guy wants to read/write Postgres-owned file, say
/usr/local/pgsql/data/pg_hba.conf
All he need do is
ln -s /usr/local/pgsql/data /var/spool/impexp/link
and then ask to lo_read or lo_write
/var/spool/impexp/link/pg_hba.conf
which will be allowed since it's a regular file.
Or, even simpler, ask to read/write
/var/spool/impexp/../../../usr/local/pgsql/data/pg_hba.conf
While you could patch around these particular attacks by further
restricting the filenames, the bottom line is that server-side LO
operations are just inherently insecure.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Klaus Reger | 2001-11-16 16:02:13 | Re: import/export of large objects on server-side |
| Previous Message | Ross J. Reedstrom | 2001-11-16 15:24:24 | Re: bug or change in functionality in 7.2? |