Skip site navigation (1) Skip section navigation (2)

Re: PG Patch (fwd) [openserver patch followup #2]

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Larry Rosenman <ler(at)lerctr(dot)org>
Cc: pgsql-patches(at)postgresql(dot)org, jkj(at)sco(dot)com
Subject: Re: PG Patch (fwd) [openserver patch followup #2]
Date: 2003-07-25 07:37:04
Message-ID: Pine.LNX.4.56.0307242247380.5602@krusty.credativ.de (view raw or flat)
Thread:
Lists: pgsql-patches
Larry Rosenman writes:

> Universal Practice does NOT equal Security and Usability.
>
> Please consider what Kean is saying here.

What Kean is saying is that your system is insecure if you have a setuid
executable that references shared libraries with nonabsolute sonames and
you have a system (an "older system") that contains a particular bug in
its run-time dynamic loader that it obeys LD_LIBRARY_PATH for setuid
executables.  That is fairly common knowledge, and that's why
LD_LIBRARY_PATH is ignored for setuid executables on all properly
functioning operating systems.

If your system is broken in that particular way, upgrade your system or
don't use setuid programs at all.  Those are the only sane choices.  It is
not an acceptable choice to disable all valid uses of nonabsolute sonames
for all users, just because some users are running on broken systems with
obvious security flaws.

-- 
Peter Eisentraut   peter_e(at)gmx(dot)net

In response to

Responses

pgsql-patches by date

Next:From: Andrew DunstanDate: 2003-07-25 08:28:55
Subject: Re: PG Patch (fwd) [openserver patch followup #2]
Previous:From: Bruce MomjianDate: 2003-07-25 04:47:34
Subject: Re: UPDATED Patch for adding DATACUBE operator

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group