Thread: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)

Comments?

http://blog.blackwinghq.com/2013/04/08/2/



Robert Bernier

On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/

It is interesting how they try to combine the write ability to a web
server or postgres .profile file;  I find the .profile particularly
nasty.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +

On 11 April 2013 18:15, Selena Deckelmann <selena@chesnok.com> wrote:
>
>
>
> On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote:
>>
>> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
>> > Comments?
>> >
>> > http://blog.blackwinghq.com/2013/04/08/2/
>>
>> It is interesting how they try to combine the write ability to a web
>> server or postgres .profile file;  I find the .profile particularly
>> nasty.
>
>
> Yup. It's maybe an argument for chroot'ing the server to the $PGDATA
> directory. I realize that's probably not reasonable for stuff like
> extensions right now.
>
> Also, a related best practice is keeping track of all the files that are in
> home directories of privileged users with something like Puppet or Chef --
> so even if an attacker *does* overwrite a file like this, automation will
> wipe it out.

Couldn't you deny write-access to .profile to the postgres user?

--
Thom

On Thu, Apr 11, 2013 at 06:24:54PM +0100, Thom Brown wrote:
> On 11 April 2013 18:15, Selena Deckelmann <selena@chesnok.com> wrote:
> >
> >
> >
> > On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote:
> >>
> >> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> >> > Comments?
> >> >
> >> > http://blog.blackwinghq.com/2013/04/08/2/
> >>
> >> It is interesting how they try to combine the write ability to a web
> >> server or postgres .profile file;  I find the .profile particularly
> >> nasty.
> >
> >
> > Yup. It's maybe an argument for chroot'ing the server to the $PGDATA
> > directory. I realize that's probably not reasonable for stuff like
> > extensions right now.
> >
> > Also, a related best practice is keeping track of all the files that are in
> > home directories of privileged users with something like Puppet or Chef --
> > so even if an attacker *does* overwrite a file like this, automation will
> > wipe it out.
>
> Couldn't you deny write-access to .profile to the postgres user?

You could, but they could create .bashrc, .bash_profile, or
.bash_logout, which would cause the same problem.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +

>
> I would hope people have tripwire/aide/et al configured to watch for these
> sorts of things already
>

Most of our non-cloud users connect to the DB from the application as
the superuser (the cloud users don't only because they're not allowed
to).  I think Tripwire is a little beyond them.

Anyway, the Blackwing analysis points out a whole set of potential
exploits which our security team hadn't thought of.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com