Re: [GENERAL] worried about PGPASSWORD drop - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [GENERAL] worried about PGPASSWORD drop
Date
Msg-id 200208292142.g7TLgRd23655@candle.pha.pa.us
Whole thread Raw
In response to Re: [GENERAL] worried about PGPASSWORD drop  ("Nigel J. Andrews" <nandrews@investsystems.co.uk>)
Responses Re: [GENERAL] worried about PGPASSWORD drop
List pgsql-patches
Nigel J. Andrews wrote:
> On Wed, 28 Aug 2002, Alvaro Herrera wrote:
>
> > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> >
> > Thank you.  Patch attached.  Note that it also checks group access; I think
> > that is desired as well.
>
> +
> +     /* If password file is insecure, alert the user and ignore it. */
> +     if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
>
>
> Should there also be a S_IFREG check to make sure no one is trying any other
> tricks? I'm not sure of what an exploit would be but for the sake of paranoia
> it seems a cheap test.
>
> I take it no one wants to start checking directory tree permissions etc.

They may want a symlink to point to somewhere else.  I can see that.  In
fact, I can see settings for Unix group sharing a password file but I am
not going to suggest loosening the group permissions until someone says
they want that.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Superuser Reserved Backend Slots - TODO item
Next
From: Bruce Momjian
Date:
Subject: Re: fix for palloc() of user-supplied length