[Fwd: Bug#184566: security threat to postgresql applications]

Is this paranoia, or is it a valid security point. Any comments,
please?

-----Forwarded Message-----

From: Erik Thiele <erik(at)thiele-hydraulik(dot)de>
To: submit(at)bugs(dot)debian(dot)org
Subject: Bug#184566: security threat to postgresql applications
Date: 13 Mar 2003 09:22:13 +0100

Package: postgresql
Version: 7.2.1-2woody2

if an application is linked against libpq, then the user is able to
specify environmental variables to override the defaults:

PGPORT sets the default TCP port number or Unix-domain socket file
extension for communicating with the PostgreSQL backend.
PGDATABASE sets the default PostgreSQL database name.
PGUSER sets the user name used to connect to the database and for
authentication.
PGPASSWORD sets the password used if the backend demands password
authentication. This is not recommended because the password can be read
by others using the ps command with special options on some platforms.
PGREALM sets the Kerberos realm to use with PostgreSQL, if it is
different from the local realm. If PGREALM is set, PostgreSQL
applications will attempt authentication with servers for this realm and
use separate ticket files to avoid conflicts with local ticket files.
This environment variable is only used if Kerberos authentication is
selected by the backend.
PGOPTIONS sets additional runtime options for the PostgreSQL backend.
PGTTY sets the file or tty on which debugging messages from the backend
server are displayed.
PGDATESTYLE sets the default style of date/time representation.
PGTZ sets the default time zone.
PGCLIENTENCODING sets the default client encoding (if multibyte support
was selected when configuring PostgreSQL).
PGGEQO sets the default mode for the genetic optimizer.

the usual user program probably does something like:

PQconnectdb("host='myhost' dbname='mydb' user='myuser' password='s'");

FIRST POINT:
------------

the resulting executable program must be --x--x--x so that the users
using it
cannot read the binary and thus cannot see the password. that should be
in the documentation! programmers must not forget this issue!!

SECOND POINT:
-------------

if the user runs the program with the environment variable PORT set to
23423, he can install his own program on that port listening for the
password! he can then use that password to connect to the real database
and delete everything.

the two POINT must be documentated. a fix for the first point is not
neccessary. but a fix for the second point cannot be done due to
backward compatibility. ALL environment variables should be ignored.
there should be a "mkoptions_from_environment" function that has to be
explicitly called.

the environment stuff is like a second way into a function. not clean
design. i.e:

printf("hello");

does not print hello, but prints "goodbye" instead because the
environment sais so. i don't like the idea in general.

the documentation must say that one has to specify the port even if it
is the default port, because otherwise the database password can be
stolen.

but really there must be documentation on the issue!!

not all apps are web based. there are still native programs floating
around that are called by ordinary users...

cu
erik

--
Erik Thiele
email: erik(at)thiele-hydraulik(dot)de
--
Oliver Elphick Oliver(dot)Elphick(at)lfix(dot)co(dot)uk
Isle of Wight, UK http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"Thy word have I hid in mine heart, that I might not
sin against thee." Psalms 119:11