Home > mailing lists

pg_settings.sourcefile patch is a security breach - Mailing list pgsql-hackers

From	Tom Lane
Subject	pg_settings.sourcefile patch is a security breach
Date	September 21, 2008 18:25:13
Msg-id	29943.1222021508@sss.pgh.pa.us Whole thread Raw
Responses	Re: pg_settings.sourcefile patch is a security breach (Magnus Hagander <magnus@hagander.net>)
List	pgsql-hackers

Tree view

We go to some lengths to prevent non-superusers from examining
data_directory and other values that would tell them exactly where the
PG data directory is in the server's filesystem.  The recently applied
patch to expose full pathnames of GUC variables' source files blows a
hole a mile wide in that.

Possible answers: don't show the path, only the file name; or
show sourcefile/sourceline as NULL to non-superusers.
        regards, tom lane

pgsql-hackers by date:

From: Tom Lane
Date: 21 September 2008, 18:20:20
Subject: Re: Proposal: move column defaults into pg_attribute along with attacl

From: Magnus Hagander
Date: 21 September 2008, 18:38:52
Subject: Re: pg_settings.sourcefile patch is a security breach

pg_settings.sourcefile patch is a security breach - Mailing list pgsql-hackers

Previous

Next