Thread: OpenBSD Trusted Path Execution (TPE) compatibility?
Hi folks, I'm new to postgresql so please bear with me. I've got PostgreSQL installed and working successfully on my OpenBSD machine. I'm also installing the TPE patches which do a few things: Prevent execution of binaries that are in directories not owned by root Prevents interpreters from reading from STDIN Protect most proc info and *stat stuff Strips LD_PRELOAD and LD_LIBRARY_PATH Is there any reason that PostgreSQL or postmaster would have a problem with this or has anyone tried these together? (It's always possible to designate postgresql as a trusted user so it doesn't have these restrictions but I'd rather not if I don't have to) Thanks, Joshua Jore
Joshua Jore writes: > Prevent execution of binaries that are in directories not owned by root > Prevents interpreters from reading from STDIN > Protect most proc info and *stat stuff > Strips LD_PRELOAD and LD_LIBRARY_PATH > > Is there any reason that PostgreSQL or postmaster would have a problem > with this You might have trouble with the second item if you're using passwords, since those have to come from stdin somehow. But your description is too vague to tell. The others shouldn't pose any problems. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Nah, the restriction is only on fd 0 which isn't going to happen in reads to real files. I've got it figured out now - unless I write some code for PostgreSQL and don't let root own it (not run it, the postgresql user does that) then I don't have to trust the daemon user. Thanks for the suggestion tho. It's been an education ;-) Josh On Thu, 5 Jul 2001, Peter Eisentraut wrote: > Joshua Jore writes: > > > Prevent execution of binaries that are in directories not owned by root > > Prevents interpreters from reading from STDIN > > Protect most proc info and *stat stuff > > Strips LD_PRELOAD and LD_LIBRARY_PATH > > > > Is there any reason that PostgreSQL or postmaster would have a problem > > with this > > You might have trouble with the second item if you're using passwords, > since those have to come from stdin somehow. But your description is too > vague to tell. The others shouldn't pose any problems. > > -- > Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html >