"Sergio A. Kessler" wrote:
> Lamar Owen wrote:
> > already has the RPM's, all they need to do is run, as root, 'chmod 0700
> > /var/lib/pgsql' -- much quicker than a multimegabyte download of a new RPM set
> > that contains no real fixes.
> maybe no real fixes ... but the current state is that we have a
> security hole more bigger than the crater of gorongoro.
The phrasing 'no real fixes' was not a good phrasing on my part. It is
a small fix that the sysadmin can apply much quicker by hand than by
downloading and installing updated RPM's. The fix will go into the next
release RPM set. There are some other open issues as well; they are
on-list to go in the next release.
> I agreed on doing just a chmod, but lots of people wouldn't do that,
> then you have to provide a smooth migration path in the next release,
> changing pgdata from 755 (created with the rpm) to 700.
The chmod can and will be made part of the preinstall script in the RPM
-- this is a much smaller difficulty than the whole upgrading mess
solved in the 6.5.1-0.7lo prerelease RPM's. This will also be addressed
in the next release. If demand is for a quick release, I can release
within the week -- I am also working on integrating some other
architectures into the RPM build (Cobalt RAQ and Qube MIPS
architectures).
> yup, but it was not me who chmod'ed 755 /var/lib/pgsql nor
> chmod'ed 666 pg_pwd, leaving all passwords in clear to all
> users on the system, not me ...
Changing the mode of /var/lib/pgsql only fixes the symptom -- the
problem (the mode 666 pg_pwd) is fixed in the current CVS and will
appear fixed in 7.0. However, I do agree that the mode 755 in
/var/lib/pgsql should have been fixed long ago -- it just wasn't noticed
nor was it a known problem before.
It will be fixed in the next RPM release.
--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11