From: | Gilles Darold <gilles(dot)darold(at)dalibo(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: proposal: psql \setfileref |
Date: | 2016-10-04 22:12:31 |
Message-ID: | 70ef20f5-269f-2075-c74f-0a5fca0942bb@dalibo.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Le 04/10/2016 à 17:29, Pavel Stehule a écrit :
>
>
> 2016-10-04 9:18 GMT+02:00 Gilles Darold <gilles(dot)darold(at)dalibo(dot)com
> <mailto:gilles(dot)darold(at)dalibo(dot)com>>:
>
> Le 03/10/2016 à 23:23, Gilles Darold a écrit :
> > Le 03/10/2016 à 23:03, Robert Haas a écrit :
> >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold
> <gilles(at)darold(dot)net <mailto:gilles(at)darold(dot)net>> wrote:
> >>> 4) An other problem is that like this this patch will allow
> anyone to upload into a
> >>> column the content of any system file that can be read by
> postgres system user
> >>> and then allow non system user to read its content.
> >> I thought this was a client-side feature, so that it would let a
> >> client upload any file that the client can read, but not things
> that
> >> can only be read by the postgres system user.
> >>
> > Yes that's right, sorry for the noise, forget this fourth report.
> >
>
> After some more though there is still a security issue here. For a
> PostgreSQL user who also have login acces to the server, it is
> possible
> to read any file that the postgres system user can read, especially a
> .pgpass or a recovery.conf containing password.
>
>
> This patch doesn't introduce any new server side functionality, so if
> there is some vulnerability, then it is exists now too.
>
It doesn't exists, that was my system user which have extended
privilege. You can definitively forget the fouth point.
--
Gilles Darold
Consultant PostgreSQL
http://dalibo.com - http://dalibo.org
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2016-10-04 22:22:09 | Re: Hash tables in dynamic shared memory |
Previous Message | Thomas Munro | 2016-10-04 21:40:45 | Hash tables in dynamic shared memory |