file_fdw target file ownership
От | Daniel Vérité |
---|---|
Тема | file_fdw target file ownership |
Дата | |
Msg-id | a2fe84db-0323-4020-b1f7-48ddaaaeeec5@mm обсуждение исходный текст |
Ответы |
Re: file_fdw target file ownership
|
Список | pgsql-hackers |
Hi, When a superuser creates a foreign table with file_fdw, the target file can belong to any user, as long as postgres can read it. This is useful when the data files are handed by non-postgres tools, such as a spreadsheet. In such a case, it makes sense that the superuser would additionally grant SELECT on the foreign table to a non-superuser to process the contents. But once the foreign table is set up, a malicious user owning the file or even the containing directory can replace it by a link to any file that can be read only by postgres, such as the server's private key. With SELECT permission granted on the table, the non-superuser can then proceed to read the contents in SQL. I've tried it successfully with 9.3rc1. As a result, it means that an admin should not allow a file as the target of a foreign table if it can be replaced on the filesystem by a non-postgres user. It may be writable by a non-postgres user, though, which is quite useful with moving data. This is a bit subtle. To avoid the whole issue, how about adding an option in file_fdw forcing it to check each time it opens the file that its ownership and maybe permissions have not changed since CREATE FOREIGN TABLE? Or is there a simpler way to deal with the above case? Best regards, -- Daniel VéritéPostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org
В списке pgsql-hackers по дате отправления: