[Fwd: Bug#184566: security threat to postgresql applications]
От | Oliver Elphick |
---|---|
Тема | [Fwd: Bug#184566: security threat to postgresql applications] |
Дата | |
Msg-id | 1048280791.14044.133.camel@linda.lfix.co.uk обсуждение исходный текст |
Ответы |
Re: [Fwd: Bug#184566: security threat to postgresql
(Neil Conway <neilc@samurai.com>)
|
Список | pgsql-hackers |
Is this paranoia, or is it a valid security point. Any comments, please? -----Forwarded Message----- From: Erik Thiele <erik@thiele-hydraulik.de> To: submit@bugs.debian.org Subject: Bug#184566: security threat to postgresql applications Date: 13 Mar 2003 09:22:13 +0100 Package: postgresql Version: 7.2.1-2woody2 if an application is linked against libpq, then the user is able to specify environmental variables to override the defaults: PGPORT sets the default TCP port number or Unix-domain socket file extension for communicating with the PostgreSQL backend. PGDATABASE sets the default PostgreSQL database name. PGUSER sets the user name used to connect to the database and for authentication. PGPASSWORD sets the password used if the backend demands password authentication. This is not recommended because the password can be read by others using the ps command with special options on some platforms. PGREALM sets the Kerberos realm to use with PostgreSQL, if it is different from the local realm. If PGREALM is set, PostgreSQL applications will attempt authentication with servers for this realm and use separate ticket files to avoid conflicts with local ticket files. This environment variable is only used if Kerberos authentication is selected by the backend. PGOPTIONS sets additional runtime options for the PostgreSQL backend. PGTTY sets the file or tty on which debugging messages from the backend server are displayed. PGDATESTYLE sets the default style of date/time representation. PGTZ sets the default time zone. PGCLIENTENCODING sets the default client encoding (if multibyte support was selected when configuring PostgreSQL). PGGEQO sets the default mode for the genetic optimizer. the usual user program probably does something like: PQconnectdb("host='myhost' dbname='mydb' user='myuser' password='s'"); FIRST POINT: ------------ the resulting executable program must be --x--x--x so that the users using it cannot read the binary and thus cannot see the password. that should be in the documentation! programmers must not forget this issue!! SECOND POINT: ------------- if the user runs the program with the environment variable PORT set to 23423, he can install his own program on that port listening for the password! he can then use that password to connect to the real database and delete everything. the two POINT must be documentated. a fix for the first point is not neccessary. but a fix for the second point cannot be done due to backward compatibility. ALL environment variables should be ignored. there should be a "mkoptions_from_environment" function that has to be explicitly called. the environment stuff is like a second way into a function. not clean design. i.e: printf("hello"); does not print hello, but prints "goodbye" instead because the environment sais so. i don't like the idea in general. the documentation must say that one has to specify the port even if it is the default port, because otherwise the database password can be stolen. but really there must be documentation on the issue!! not all apps are web based. there are still native programs floating around that are called by ordinary users... cu erik -- Erik Thiele email: erik@thiele-hydraulik.de -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "Thy word have I hid in mine heart, that I might not sin against thee." Psalms 119:11
В списке pgsql-hackers по дате отправления: