>That's got a race condition: at the time you start the postmaster,
>the postgres superuser hasn't got a password. A bad guy could get
>in there and set the password the way *he* wanted it
Or could `echo "ALTER USER ..." | standalone-backend` to the backend
-- isn't that still a race condition?
>or less detectably: just connect as postgres, wait for you to set the
>password, then read it out (he's still connected as postgres and
>still has superuser rights...)
Or connect to the stanadalone backend, and create a trigger on ALTER
USER... to print the command to a file. Seems like echo doesn't solve
this vulnerablilty either.
Obviously I'm pretty naive here, so I'll just shut up after this. But
from what I know of how these parts all work together, the echo
approach has the same problems, but maybe to a somewaht smaller degree.
And even if echo is a builtin in all shells, an alias will override
the builtin, at least in bash. So if you machine has been penetrated
to the point where the above race condition comes into play, you also
cannot trust echo.
Just my $0.02 worth.
--
Karl DeBisschop <kdebisschop@alert.infoplease.com>
617.832.0332 (Fax: 617.956.2696)
Information Please - your source for FREE online reference
http://www.infoplease.com - Your Ultimate Fact Finder
http://kids.infoplease.com - The Great Homework Helper
Netsaint Plugins Development
http://netsaintplug.sourceforge.net