| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Andrew Sullivan <andrew(at)libertyrms(dot)info>, Thomas Lockhart <lockhart(at)fourpalms(dot)org>, PostgreSQL Hackers List <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: WAL file location |
| Date: | 2002-07-30 18:37:12 |
| Message-ID: | 200207301837.g6UIbCn02155@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
In my logic, we have PGDATA environment variable for the server only so
the server can find the /data directory. After that, everything should
be in /data. I see no reason to make it an environment variable.
In fact, a file in /data should be able to track the xlog directory a
lot better than an evironment variable will.
---------------------------------------------------------------------------
Tom Lane wrote:
> Andrew Sullivan <andrew(at)libertyrms(dot)info> writes:
> > On Tue, Jul 30, 2002 at 02:05:57PM -0400, Tom Lane wrote:
> >> If we add more environment-variable-dependent mechanisms to allow more
> >> different things to be done, we increase substantially the odds of
> >> creating an exploitable security hole.
>
> > Ok, true enough, but I'm not sure that a config file or any other
> > such mechanism is any safer. As Lamar Owen said, anyone who can
> > poison the postgres user's environment can likely do evil things to
> > postgresql.conf as well.
>
> Who said anything about poisoning the environment? My point was that
> there will be strings in the environment that were put there perfectly
> legitimately, but could still serve as an attack vehicle.
>
> The weakness of the existing database-locations-are-environment-variables
> feature is really that the attacker gets to choose which environment
> variable gets used, and so he can use a variable intended to serve
> purpose A for some other purpose B. If A and B are sufficiently
> different then you got trouble --- and since we are talking about a
> purpose B that involves writing on something, there's definitely a risk.
>
> A mechanism based only on a fixed environment variable name doesn't
> create the sort of threat I'm contemplating. For example, if the
> postmaster always and only looked at $PGXLOG to find the xlog then
> you'd not have this type of risk. But Thomas said he was basing the
> feature on database locations, and in the absence of seeing the code
> I don't know if he's creating a security hole or not.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-07-30 18:48:04 | Re: contrib/ltree for 7.2 or 7.3 ? |
| Previous Message | Tom Lane | 2002-07-30 18:34:06 | Re: WAL file location |