Re: [GENERAL] worried about PGPASSWORD drop

Поиск
Список
Период
Сортировка
От Nigel J. Andrews
Тема Re: [GENERAL] worried about PGPASSWORD drop
Дата
Msg-id Pine.LNX.4.21.0208292157240.667-100000@ponder.fairway2k.co.uk
обсуждение исходный текст
Ответ на Re: [GENERAL] worried about PGPASSWORD drop  (Alvaro Herrera <alvherre@atentus.com>)
Ответы Re: [GENERAL] worried about PGPASSWORD drop  (Bruce Momjian <pgman@candle.pha.pa.us>)
Список pgsql-patches
Дерево обсуждения 
On Wed, 28 Aug 2002, Alvaro Herrera wrote:

> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
>
> Thank you.  Patch attached.  Note that it also checks group access; I think
> that is desired as well.

+
+     /* If password file is insecure, alert the user and ignore it. */
+     if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))


Should there also be a S_IFREG check to make sure no one is trying any other
tricks? I'm not sure of what an exploit would be but for the sake of paranoia
it seems a cheap test.

I take it no one wants to start checking directory tree permissions etc.


--
Nigel J. Andrews
Director

---
Logictree Systems Limited
Computer Consultants

В списке pgsql-patches по дате отправления:

Предыдущее
От: "Karim Mribti"
Дата:
Сообщение: Re: Spanish translation patch
Следующее
От: Bruce Momjian
Дата:
Сообщение: Re: Superuser Reserved Backend Slots - TODO item