| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, PostgreSQL Patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: logfile subprocess and Fancy File Functions |
| Date: | 2004-07-23 22:15:01 |
| Message-ID: | 28684.1090620901@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> Tom Lane wrote:
>> As for the analogy to COPY, the addition of unlink/rename to a hacker's
>> tool set renders the situation far more dangerous than if he only has
>> write. Write will not allow him to hack write-protected files, but he
>> might be able to rename them out of the way and create new trojaned
>> versions...
> Yes, I realized that later, that rename/unlink is based on the directory
> permissions, not the file permissions. That is clearly a new capability
> that could be seen as opening a new door.
> However, file creation via COPY is based on the directory permissions
> too.
Right, but the point is that a write-protected file in a writable
directory is not vulnerable to an attacker armed only with write().
If he can do rename() or delete() then it *is* vulnerable. This is
quite relevant to Postgres seeing that it's hardly practical to
make the $PGDATA directory non-writable to the postmaster, while one
might well think it worthwhile to make pg_hba.conf non-writable.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-07-23 22:19:32 | Re: logfile subprocess and Fancy File Functions |
| Previous Message | Bruce Momjian | 2004-07-23 22:06:07 | Re: logfile subprocess and Fancy File Functions |