| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Enhance security permissions |
| Date: | 2025-11-04 12:20:53 |
| Message-ID: | CAEudQAo0S06MbbS2AHXFzHgjnMULxhcwpVkVp4o9v_kkECA-Og@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi.
I noticed this while checking the source
(src/interfaces/libpq/fe-connect.c).
It seems that S_IRWXU permission is harmful too.
In accord with [1] and [2] this should also be checked.
Also, all other places in the source, S_IRWXU are checked.
So, I propose adding this check to enhance the security.
Maybe the error messages, do they need improvement as well?
patchs attached.
best regards,
Ranier Vilela
[1]
https://docs.aws.amazon.com/codeguru/detector-library/cpp/loose-file-permissions/
[2] https://www.exploit-db.com/exploits/33145
| Attachment | Content-Type | Size |
|---|---|---|
| enhance-security-file-permissions-be-secure-common.patch | application/octet-stream | 579 bytes |
| enhance-security-file-permissions-fe-connect.patch | application/octet-stream | 601 bytes |
| enhance-security-file-permissions-fe-secure-openssl.patch | application/octet-stream | 722 bytes |
| enhance-security-file-permissions-pg_backup_tar.patch | application/octet-stream | 548 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bryan Green | 2025-11-04 12:44:47 | Re: Enhance security permissions |
| Previous Message | Jakub Wartak | 2025-11-04 12:10:58 | Re: Adding basic NUMA awareness |