"Klaus Reger" <K.Reger@twc.de> writes:
> I've made a patch, that introduces an entry in the PostgreSQL-config file.
> You can set a drirectory, where all imports/exports can happen. If nothing
> is set (the default), no imports/exports on the server-side are allowed.
> To enhance the security, no reading/writung is allowed from/to non-regular
> files (block-devs, symlinks, etc.)
This is trivially defeatable, assuming that the "import/export"
directory is world writable (if it isn't, importing will be tough).
Example: say imp/exp directory is
/var/spool/impexp
Bad guy wants to read/write Postgres-owned file, say
/usr/local/pgsql/data/pg_hba.conf
All he need do is
ln -s /usr/local/pgsql/data /var/spool/impexp/link
and then ask to lo_read or lo_write
/var/spool/impexp/link/pg_hba.conf
which will be allowed since it's a regular file.
Or, even simpler, ask to read/write
/var/spool/impexp/../../../usr/local/pgsql/data/pg_hba.conf
While you could patch around these particular attacks by further
restricting the filenames, the bottom line is that server-side LO
operations are just inherently insecure.
regards, tom lane