Thread: Re: [GENERAL] worried about PGPASSWORD drop

Re: [GENERAL] worried about PGPASSWORD drop

From

Alvaro Herrera

Date:

29 August 2002, 01:06:42

En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
Bruce Momjian <pgman@candle.pha.pa.us> escribió:

> Alvaro Herrera wrote:
> > Bruce Momjian dijo:
> >
> > > Tom Lane wrote:
> >
> > > > If you want to put in security restrictions that are actually useful,
> > > > where is the code to verify that PGPASSWORDFILE points at a
> > > > non-world-readable file?  That needs to be there now, not later, or
> > > > we'll have people moaning about backward compatibility when we finally
> > > > do plug that hole.
> > >
> > > Agreed.
> >
> > Point taken, will look into it later.
>
> Here is some code from postmaster.c that may help:

Thank you.  Patch attached.  Note that it also checks group access; I think
that is desired as well.

--
Alvaro Herrera (<alvherre[a]atentus.com>)
"Cuando mañana llegue pelearemos segun lo que mañana exija" (Mowgli)

Attachment

libpq-perm.patch

Re: [GENERAL] worried about PGPASSWORD drop

From

Bruce Momjian

Date:

29 August 2002, 17:34:06

Your patch has been added to the PostgreSQL unapplied patches list at:

    http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

---------------------------------------------------------------------------


Alvaro Herrera wrote:
> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> Bruce Momjian <pgman@candle.pha.pa.us> escribi?:
>
> > Alvaro Herrera wrote:
> > > Bruce Momjian dijo:
> > >
> > > > Tom Lane wrote:
> > >
> > > > > If you want to put in security restrictions that are actually useful,
> > > > > where is the code to verify that PGPASSWORDFILE points at a
> > > > > non-world-readable file?  That needs to be there now, not later, or
> > > > > we'll have people moaning about backward compatibility when we finally
> > > > > do plug that hole.
> > > >
> > > > Agreed.
> > >
> > > Point taken, will look into it later.
> >
> > Here is some code from postmaster.c that may help:
>
> Thank you.  Patch attached.  Note that it also checks group access; I think
> that is desired as well.
>
> --
> Alvaro Herrera (<alvherre[a]atentus.com>)
> "Cuando ma?ana llegue pelearemos segun lo que ma?ana exija" (Mowgli)

[ Attachment, skipping... ]

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [GENERAL] worried about PGPASSWORD drop

From

"Nigel J. Andrews"

Date:

29 August 2002, 20:01:57

On Wed, 28 Aug 2002, Alvaro Herrera wrote:

> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
>
> Thank you.  Patch attached.  Note that it also checks group access; I think
> that is desired as well.

+
+     /* If password file is insecure, alert the user and ignore it. */
+     if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))

Should there also be a S_IFREG check to make sure no one is trying any other
tricks? I'm not sure of what an exploit would be but for the sake of paranoia
it seems a cheap test.

I take it no one wants to start checking directory tree permissions etc.

--
Nigel J. Andrews
Director

---
Logictree Systems Limited
Computer Consultants

Re: [GENERAL] worried about PGPASSWORD drop

From

Bruce Momjian

Date:

29 August 2002, 20:42:39

Nigel J. Andrews wrote:
> On Wed, 28 Aug 2002, Alvaro Herrera wrote:
>
> > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> >
> > Thank you.  Patch attached.  Note that it also checks group access; I think
> > that is desired as well.
>
> +
> +     /* If password file is insecure, alert the user and ignore it. */
> +     if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
>
>
> Should there also be a S_IFREG check to make sure no one is trying any other
> tricks? I'm not sure of what an exploit would be but for the sake of paranoia
> it seems a cheap test.
>
> I take it no one wants to start checking directory tree permissions etc.

They may want a symlink to point to somewhere else.  I can see that.  In
fact, I can see settings for Unix group sharing a password file but I am
not going to suggest loosening the group permissions until someone says
they want that.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [GENERAL] worried about PGPASSWORD drop

From

"Nigel J. Andrews"

Date:

29 August 2002, 21:06:17

On Thu, 29 Aug 2002, Bruce Momjian wrote:

> Nigel J. Andrews wrote:
> > On Wed, 28 Aug 2002, Alvaro Herrera wrote:
> >
> > > En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> > >
> > > Thank you.  Patch attached.  Note that it also checks group access; I think
> > > that is desired as well.
> >
> > +
> > +     /* If password file is insecure, alert the user and ignore it. */
> > +     if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
> >
> >
> > Should there also be a S_IFREG check to make sure no one is trying any other
> > tricks? I'm not sure of what an exploit would be but for the sake of paranoia
> > it seems a cheap test.
> >
> > I take it no one wants to start checking directory tree permissions etc.
>
> They may want a symlink to point to somewhere else.  I can see that.  In
> fact, I can see settings for Unix group sharing a password file but I am
> not going to suggest loosening the group permissions until someone says
> they want that.

Doesn't stat() resolve all symlinks?

I must admit it's not something I've check but I thought it went through until
it found a non symlink.

I'm probably just being too paranoid about pipes etc. though.

I'd wait and see about the group permissions as well. I can't really see the
need myself. I'm not very imaginative at times though. May be in a teaching
environment.

--
Nigel J. Andrews

Re: [GENERAL] worried about PGPASSWORD drop

From

Bruce Momjian

Date:

29 August 2002, 22:06:41

Patch applied.  Thanks.

---------------------------------------------------------------------------


Alvaro Herrera wrote:
> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
> Bruce Momjian <pgman@candle.pha.pa.us> escribi?:
>
> > Alvaro Herrera wrote:
> > > Bruce Momjian dijo:
> > >
> > > > Tom Lane wrote:
> > >
> > > > > If you want to put in security restrictions that are actually useful,
> > > > > where is the code to verify that PGPASSWORDFILE points at a
> > > > > non-world-readable file?  That needs to be there now, not later, or
> > > > > we'll have people moaning about backward compatibility when we finally
> > > > > do plug that hole.
> > > >
> > > > Agreed.
> > >
> > > Point taken, will look into it later.
> >
> > Here is some code from postmaster.c that may help:
>
> Thank you.  Patch attached.  Note that it also checks group access; I think
> that is desired as well.
>
> --
> Alvaro Herrera (<alvherre[a]atentus.com>)
> "Cuando ma?ana llegue pelearemos segun lo que ma?ana exija" (Mowgli)

[ Attachment, skipping... ]

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [GENERAL] worried about PGPASSWORD drop

From

Bruce Momjian

Date:

29 August 2002, 22:36:43

Nigel J. Andrews wrote:
> > They may want a symlink to point to somewhere else.  I can see that.  In
> > fact, I can see settings for Unix group sharing a password file but I am
> > not going to suggest loosening the group permissions until someone says
> > they want that.
>
> Doesn't stat() resolve all symlinks?

Yep, only lstat() sees symlinks.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073