Re: EMBEDDED PostgreSQL - Mailing list pgsql-general

From Magnus Hagander
Subject Re: EMBEDDED PostgreSQL
Date
Msg-id 6BCB9D8A16AC4241919521715F4D8BCE476706@algol.sollentuna.se
Whole thread Raw
In response to EMBEDDED PostgreSQL  (Tope Akinniyi <topeakinniyi@yahoo.co.uk>)
List pgsql-general
> > Sorry, but any Windows user who thinks he doesn't need security
> > measures equivalent to (not "beyond") minimum Unix practice
> is a dummy
> > about security.  Take a look at this LOAD vulnerability
> we're in the
> > midst of patching, and ask yourself whether you aren't glad that it
> > can't be used to get admin privileges on your Windows box.
>
> So a vulnerability exists on Windows even if PostgreSQL is
> only accepting local connections?

No. You need an *authenticated* connection to the database. If your web
interface is open to SQL Injection, you can get in thruogh that, but
else you need some kind of account and connecting permissions to the
database server.
pg_hba also protects you even if you allow connections elsewhere.


//Magnus

pgsql-general by date:

Previous
From: Jeff Davis
Date:
Subject: Re: text field constraint advice
Next
From: "Magnus Hagander"
Date:
Subject: Re: EMBEDDED PostgreSQL