Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] worried about PGPASSWORD drop

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>
Cc: Alvaro Herrera <alvherre(at)atentus(dot)com>,pgsql-patches(at)postgresql(dot)org
Subject: Re: [GENERAL] worried about PGPASSWORD drop
Date: 2002-08-29 21:42:27
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-generalpgsql-patches
Nigel J. Andrews wrote:
> On Wed, 28 Aug 2002, Alvaro Herrera wrote:
> > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> > 
> > Thank you.  Patch attached.  Note that it also checks group access; I think
> > that is desired as well.
> + 
> + 	/* If password file is insecure, alert the user and ignore it. */
> + 	if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
> Should there also be a S_IFREG check to make sure no one is trying any other
> tricks? I'm not sure of what an exploit would be but for the sake of paranoia 
> it seems a cheap test.
> I take it no one wants to start checking directory tree permissions etc.

They may want a symlink to point to somewhere else.  I can see that.  In
fact, I can see settings for Unix group sharing a password file but I am
not going to suggest loosening the group permissions until someone says
they want that.

  Bruce Momjian                        |
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to


pgsql-patches by date

Next:From: Bruce MomjianDate: 2002-08-29 21:45:56
Subject: Re: fix for palloc() of user-supplied length
Previous:From: Bruce MomjianDate: 2002-08-29 21:02:25
Subject: Re: Superuser Reserved Backend Slots - TODO item

pgsql-general by date

Next:From: Andrew SullivanDate: 2002-08-29 21:44:00
Subject: Re: [Pgreplication-general] Master/Slave is in town!
Previous:From: Nigel J. AndrewsDate: 2002-08-29 21:01:55
Subject: Re: [GENERAL] worried about PGPASSWORD drop

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group