On Fri, 19 Nov 1999, Tom Lane wrote:
> > in rh6.1 /var/lib/pgsql is 755 (and no, I haven't changed anything)
> > can you spell "2_KM_DIAMETER_HOLE" ?
>
> In a standard setup, pg_pwd is inside .../pgsql/data which is mode 700.
> Have the RH guys really blown it this badly? (Lamar?)
PGDATA is in fact 755 in the RPM installation. pg_pwd is the only file 666
under this directory.
Since pg_pwd is not very well documented, it is kind of hard to figure out
the permissions -- however, it is simple enough to issue a security advisory
for people to chmod 0700 /var/lib/pgsql.
The change to mode 0700 for PGDATA (which is moving in the future) will be made
in future RPM's. Again, no other file under /var/lib/pgsql under RH6.1 has
group or world permissions EXCEPT pg_pwd.
And yes, this IS a glaring security hole, IF the user postgres has a postgres
password. Just WHY is pg_pwd mode 666 in the first place??
--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11