On 2014-10-29 12:03:54 -0400, Robert Haas wrote:
> >> And it
> >> still doesn't protect against the case where you hardlink to a file
> >> and then the permissions on that file are later changed.
> >
> > Imo that's simply not a problem that we need to solve - it's much more
> > general and independent.
>
> I don't see how you can draw an arbitrary line there. We either
> guarantee that the logged-in user can't usurp the server's
> permissions, or we don't. Making it happen only sometimes in cases
> we're prepared to dismiss is not real security.
I can draw the line because lowering the permissions of some file isn't
postgres' problem. If you do that, you better make sure that there's no
existing hardlinks pointing to the precious file. And that has nothing
to do with postgres.
But anyway, just refusing to work on hardlinked files would also get rid
of that problem.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services