Karl DeBisschop <kdebisschop@range.infoplease.com> writes:
>> That's got a race condition: at the time you start the postmaster,
>> the postgres superuser hasn't got a password. A bad guy could get
>> in there and set the password the way *he* wanted it
> Or could `echo "ALTER USER ..." | standalone-backend` to the backend
> -- isn't that still a race condition?
No, not unless he's already either root or postgres. Ordinary other
users can't run a standalone backend in your database (that's one reason
why the toplevel data directory must always have permissions 700).
> And even if echo is a builtin in all shells, an alias will override
> the builtin, at least in bash. So if you machine has been penetrated
> to the point where the above race condition comes into play, you also
> cannot trust echo.
Again, if the attacker has already managed to modify your .profile,
then you've lost the game. What we're concerned about here is other
users on your machine or any of the machines that your pg_hba file
allows connections from. Running ps while you are doing initdb, for
example, doesn't require any special preconditions beyond a regular
user account on the same machine you are on.
regards, tom lane
