Re: PG Patch (fwd) [openserver patch followup #2]

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Larry Rosenman <ler(at)lerctr(dot)org>
Cc: pgsql-patches(at)postgresql(dot)org, jkj(at)sco(dot)com
Subject: Re: PG Patch (fwd) [openserver patch followup #2]
Date: 2003-07-25 07:37:04
Message-ID: Pine.LNX.4.56.0307242247380.5602@krusty.credativ.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Larry Rosenman writes:

> Universal Practice does NOT equal Security and Usability.
>
> Please consider what Kean is saying here.

What Kean is saying is that your system is insecure if you have a setuid
executable that references shared libraries with nonabsolute sonames and
you have a system (an "older system") that contains a particular bug in
its run-time dynamic loader that it obeys LD_LIBRARY_PATH for setuid
executables. That is fairly common knowledge, and that's why
LD_LIBRARY_PATH is ignored for setuid executables on all properly
functioning operating systems.

If your system is broken in that particular way, upgrade your system or
don't use setuid programs at all. Those are the only sane choices. It is
not an acceptable choice to disable all valid uses of nonabsolute sonames
for all users, just because some users are running on broken systems with
obvious security flaws.

--
Peter Eisentraut peter_e(at)gmx(dot)net

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Andrew Dunstan 2003-07-25 08:28:55 Re: PG Patch (fwd) [openserver patch followup #2]
Previous Message Bruce Momjian 2003-07-25 04:47:34 Re: UPDATED Patch for adding DATACUBE operator