Обсуждение: Re: [GENERAL] worried about PGPASSWORD drop
En Wed, 28 Aug 2002 17:33:34 -0400 (EDT) Bruce Momjian <pgman@candle.pha.pa.us> escribió: > Alvaro Herrera wrote: > > Bruce Momjian dijo: > > > > > Tom Lane wrote: > > > > > > If you want to put in security restrictions that are actually useful, > > > > where is the code to verify that PGPASSWORDFILE points at a > > > > non-world-readable file? That needs to be there now, not later, or > > > > we'll have people moaning about backward compatibility when we finally > > > > do plug that hole. > > > > > > Agreed. > > > > Point taken, will look into it later. > > Here is some code from postmaster.c that may help: Thank you. Patch attached. Note that it also checks group access; I think that is desired as well. -- Alvaro Herrera (<alvherre[a]atentus.com>) "Cuando mañana llegue pelearemos segun lo que mañana exija" (Mowgli)
Вложения
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Alvaro Herrera wrote:
> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> Bruce Momjian <pgman@candle.pha.pa.us> escribi?:
>
> > Alvaro Herrera wrote:
> > > Bruce Momjian dijo:
> > >
> > > > Tom Lane wrote:
> > >
> > > > > If you want to put in security restrictions that are actually useful,
> > > > > where is the code to verify that PGPASSWORDFILE points at a
> > > > > non-world-readable file? That needs to be there now, not later, or
> > > > > we'll have people moaning about backward compatibility when we finally
> > > > > do plug that hole.
> > > >
> > > > Agreed.
> > >
> > > Point taken, will look into it later.
> >
> > Here is some code from postmaster.c that may help:
>
> Thank you. Patch attached. Note that it also checks group access; I think
> that is desired as well.
>
> --
> Alvaro Herrera (<alvherre[a]atentus.com>)
> "Cuando ma?ana llegue pelearemos segun lo que ma?ana exija" (Mowgli)
[ Attachment, skipping... ]
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
On Wed, 28 Aug 2002, Alvaro Herrera wrote: > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT) > > Thank you. Patch attached. Note that it also checks group access; I think > that is desired as well. + + /* If password file is insecure, alert the user and ignore it. */ + if (stat_buf.st_mode & (S_IRWXG | S_IRWXO)) Should there also be a S_IFREG check to make sure no one is trying any other tricks? I'm not sure of what an exploit would be but for the sake of paranoia it seems a cheap test. I take it no one wants to start checking directory tree permissions etc. -- Nigel J. Andrews Director --- Logictree Systems Limited Computer Consultants
Nigel J. Andrews wrote: > On Wed, 28 Aug 2002, Alvaro Herrera wrote: > > > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT) > > > > Thank you. Patch attached. Note that it also checks group access; I think > > that is desired as well. > > + > + /* If password file is insecure, alert the user and ignore it. */ > + if (stat_buf.st_mode & (S_IRWXG | S_IRWXO)) > > > Should there also be a S_IFREG check to make sure no one is trying any other > tricks? I'm not sure of what an exploit would be but for the sake of paranoia > it seems a cheap test. > > I take it no one wants to start checking directory tree permissions etc. They may want a symlink to point to somewhere else. I can see that. In fact, I can see settings for Unix group sharing a password file but I am not going to suggest loosening the group permissions until someone says they want that. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
On Thu, 29 Aug 2002, Bruce Momjian wrote: > Nigel J. Andrews wrote: > > On Wed, 28 Aug 2002, Alvaro Herrera wrote: > > > > > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT) > > > > > > Thank you. Patch attached. Note that it also checks group access; I think > > > that is desired as well. > > > > + > > + /* If password file is insecure, alert the user and ignore it. */ > > + if (stat_buf.st_mode & (S_IRWXG | S_IRWXO)) > > > > > > Should there also be a S_IFREG check to make sure no one is trying any other > > tricks? I'm not sure of what an exploit would be but for the sake of paranoia > > it seems a cheap test. > > > > I take it no one wants to start checking directory tree permissions etc. > > They may want a symlink to point to somewhere else. I can see that. In > fact, I can see settings for Unix group sharing a password file but I am > not going to suggest loosening the group permissions until someone says > they want that. Doesn't stat() resolve all symlinks? I must admit it's not something I've check but I thought it went through until it found a non symlink. I'm probably just being too paranoid about pipes etc. though. I'd wait and see about the group permissions as well. I can't really see the need myself. I'm not very imaginative at times though. May be in a teaching environment. -- Nigel J. Andrews
Patch applied. Thanks. --------------------------------------------------------------------------- Alvaro Herrera wrote: > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT) > Bruce Momjian <pgman@candle.pha.pa.us> escribi?: > > > Alvaro Herrera wrote: > > > Bruce Momjian dijo: > > > > > > > Tom Lane wrote: > > > > > > > > If you want to put in security restrictions that are actually useful, > > > > > where is the code to verify that PGPASSWORDFILE points at a > > > > > non-world-readable file? That needs to be there now, not later, or > > > > > we'll have people moaning about backward compatibility when we finally > > > > > do plug that hole. > > > > > > > > Agreed. > > > > > > Point taken, will look into it later. > > > > Here is some code from postmaster.c that may help: > > Thank you. Patch attached. Note that it also checks group access; I think > that is desired as well. > > -- > Alvaro Herrera (<alvherre[a]atentus.com>) > "Cuando ma?ana llegue pelearemos segun lo que ma?ana exija" (Mowgli) [ Attachment, skipping... ] -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Nigel J. Andrews wrote: > > They may want a symlink to point to somewhere else. I can see that. In > > fact, I can see settings for Unix group sharing a password file but I am > > not going to suggest loosening the group permissions until someone says > > they want that. > > Doesn't stat() resolve all symlinks? Yep, only lstat() sees symlinks. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073