Home > mailing lists

Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) - Mailing list pgsql-advocacy

From	Selena Deckelmann
Subject	Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Date	April 11, 2013 20:15:45
Msg-id	CAN1EF+zvd+ywykY6P=Sm2p-vcC3OYqKeTmvqNP145gQXxD3Zig@mail.gmail.com Whole thread Raw
In response to	Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) (Bruce Momjian <bruce@momjian.us>)
Responses	Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
List	pgsql-advocacy

Tree view

On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote:

On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/

It is interesting how they try to combine the write ability to a web
server or postgres .profile file; I find the .profile particularly
nasty.

Yup. It's maybe an argument for chroot'ing the server to the $PGDATA directory. I realize that's probably not reasonable for stuff like extensions right now.

Also, a related best practice is keeping track of all the files that are in home directories of privileged users with something like Puppet or Chef -- so even if an attacker *does* overwrite a file like this, automation will wipe it out.

-selena

--
http://chesnok.com

pgsql-advocacy by date:

From: Bruce Momjian
Date: 11 April 2013, 18:06:07
Subject: Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)

From: Douglas J Hunley
Date: 11 April 2013, 20:19:59
Subject: Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)

Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) - Mailing list pgsql-advocacy

Previous

Next