Re: logfile subprocess and Fancy File Functions - Mailing list pgsql-patches

From Tom Lane
Subject Re: logfile subprocess and Fancy File Functions
Date
Msg-id 4939.1090686756@sss.pgh.pa.us
Whole thread Raw
In response to Re: logfile subprocess and Fancy File Functions  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-patches
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Tom Lane wrote:
>> Bruce Momjian <pgman@candle.pha.pa.us> writes:
>>> Thinking we have security because they can't guess
>>> pgdata seems like security through obscurity to me.
>>
>> Sure, but it's still a useful roadblock to throw in an attacker's way.

> As a super-user, could an attacker load a server-side language and
> access the backend environment variable PGDATA.

Only if it's set.  A security-conscious DBA might prefer to start the
postmaster with -D instead of setting an environment variable.  (In fact
I wonder whether we shouldn't make the postmaster unsetenv PGDATA after
it's set the data directory.  This would be good for debugging purposes,
ie catching any subprocesses that mistakenly assume PGDATA must be a
correct pointer to the datadir, as well as for security reasons.)

> Also look at this:

>   test=> CREATE FUNCTION "xxx_call_handler" () RETURNS language_handler AS '$libdir/pltcl' LANGUAGE C;
>   ERROR:  could not find function "xxx_call_handler" in file "/usr/var/local/postgres/lib/pltcl.so"

> Notice the expansion of "$libdir".

Yah, but that only tells him where libdir is, which shouldn't help him
much.  In any hardened installation, that directory tree won't be
writable by postgres at all.

            regards, tom lane

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: logfile subprocess and Fancy File Functions
Next
From: Tom Lane
Date:
Subject: Re: logfile subprocess and Fancy File Functions