Home > mailing lists

Re: [HACKERS] Possible make_oidjoins_check Security Issue - Mailing list pgsql-patches

From	Bruce Momjian
Subject	Re: [HACKERS] Possible make_oidjoins_check Security Issue
Date	November 4, 2004 02:42:46
Msg-id	200411032342.iA3NgPi14138@candle.pha.pa.us Whole thread Raw
In response to	Re: [HACKERS] Possible make_oidjoins_check Security Issue (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: [HACKERS] Possible make_oidjoins_check Security Issue (Gavin Sherry <swm@linuxworld.com.au>)
List	pgsql-patches

Tree view

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> >> I think Tom's fix adequately addresses the security concerns. Exactly
> >> what is wrong with writing to the current working directory?
>
> > Because it could be run from a directory where others have write
> > permission.
>
> In which case, they could also change the findoidjoins script itself.
> I think your fix is *less* secure than what you replaced.
>
> However, I've already wasted more than enough time on this issue...
> I'm done arguing about it.

As far as I know, my method is the only secure method.  If I am wrong I
would like to know.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

From: Tom Lane
Date: 04 November 2004, 02:34:31
Subject: Re: [HACKERS] Possible make_oidjoins_check Security Issue

From: Gavin Sherry
Date: 04 November 2004, 03:22:24
Subject: Re: [HACKERS] Possible make_oidjoins_check Security Issue

Re: [HACKERS] Possible make_oidjoins_check Security Issue - Mailing list pgsql-patches

Previous

Next