* Andres Freund (andres@2ndquadrant.com) wrote:
> On 2014-10-29 12:03:54 -0400, Robert Haas wrote:
> > I don't see how you can draw an arbitrary line there. We either
> > guarantee that the logged-in user can't usurp the server's
> > permissions, or we don't. Making it happen only sometimes in cases
> > we're prepared to dismiss is not real security.
>
> I can draw the line because lowering the permissions of some file isn't
> postgres' problem. If you do that, you better make sure that there's no
> existing hardlinks pointing to the precious file. And that has nothing
> to do with postgres.
>
> But anyway, just refusing to work on hardlinked files would also get rid
> of that problem.
Right, I was just about to point out the same- the fstat/link-count
approach addresses the issue also.
As for the 'new-enough' versions of Linux, my point there was simply
that these are issues which people who are concerned about security have
been looking at and working to address. History shows a pretty thorny
past, certainly, but SMTP has a similar past.
Thanks,
Stephen