Skip site navigation (1) Skip section navigation (2)

SECURITY: psql allows symlink games in /tmp

From: Andrew Bartlett <abartlet(at)pcug(dot)org(dot)au>
To: pgsql-hackers(at)postgresql(dot)org
Subject: SECURITY: psql allows symlink games in /tmp
Date: 2000-11-25 00:28:42
Message-ID: 3A1F07BA.7F328A49@pcug.org.au (view raw or flat)
Thread:
Lists: pgsql-hackers
This code in psql/command.c allows *any* system user to place a
predictably named symbolic link in /tmp and use it to alter/destroy
files owned by the user running psql. (tested - postgresql 7.0.2).

All the information a potential attacker would need are available via a
simple 'ps'.

It might (untested) also allow an another user to exploit the race
between the closing of the file by the editor and the re-reading of its
contents to execute arbitrary SQL commands.

IMHO these files, if they must be created in /tmp should at least be
created O_EXCL, but there are still editor vulnerabilities with opening
any files in a world writeable directory (see recent joe Vulnerability:
http://lwn.net/2000/1123/a/sec-joe.php3)

My system is RedHat 6.2 on an i686, with Postgresql 7.0.2 but the same
code currently exists in CVS (or at least CVS-web).

I am not subscribed to this list, so please CC me for replies.  (Also
tell me if there is a more appropriate forum for this, but
www.postgresql.org doesn't have a listed security issue address).
-- 
Andrew Bartlett
abartlet(at)pcug(dot)org(dot)au

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2000-11-25 00:32:44
Subject: Re: OK, that's one LOCALE bug report too many...
Previous:From: Tom LaneDate: 2000-11-25 00:20:48
Subject: Re: OK, that's one LOCALE bug report too many...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group