| From: | "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)atentus(dot)com> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: [GENERAL] worried about PGPASSWORD drop |
| Date: | 2002-08-29 21:01:55 |
| Message-ID: | Pine.LNX.4.21.0208292157240.667-100000@ponder.fairway2k.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-patches |
On Wed, 28 Aug 2002, Alvaro Herrera wrote:
> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
>
> Thank you. Patch attached. Note that it also checks group access; I think
> that is desired as well.
+
+ /* If password file is insecure, alert the user and ignore it. */
+ if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
Should there also be a S_IFREG check to make sure no one is trying any other
tricks? I'm not sure of what an exploit would be but for the sake of paranoia
it seems a cheap test.
I take it no one wants to start checking directory tree permissions etc.
--
Nigel J. Andrews
Director
---
Logictree Systems Limited
Computer Consultants
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-29 21:42:27 | Re: [GENERAL] worried about PGPASSWORD drop |
| Previous Message | Bruno Wolff III | 2002-08-29 20:57:09 | Re: Question Regarding Geometric Operators/Function . . . |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-08-29 21:02:25 | Re: Superuser Reserved Backend Slots - TODO item |
| Previous Message | Karim Mribti | 2002-08-29 20:40:14 | Re: Spanish translation patch |