Thread: Potential Security Issue: Permissions in PgAdmin Installation Directory

Dear PgAdmin Community,

I am writing to report a potential security issue with the permissions set in the PgAdmin installation directory.

After installing PgAdmin, I observed that several directories, including 'bin', 'venv', and 'web', have 775 permissions. Here are the details of the directory permissions:

Given the broad access provided by 775 permissions, there is a concern about the potential for unauthorized access or modifications. 

I would like to ask if these permissions are necessary for PgAdmin's operation or if they could be tightened to enhance security.

Your guidance on this matter would be greatly appreciated.

Thank you for your attention to this issue.

Akshay, could you or one of the team look into this please?

Thanks.

On Fri, 31 May 2024 at 23:27, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Hi,
Platform and package details are below

Platform: Rocky 8.9

pgadmin version:  8.7

Regards

Qasim

On Sat, Jun 1, 2024 at 3:09 AM Dave Page <dpage@pgadmin.org> wrote:

Hi

On Thu, 30 May 2024 at 23:17, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Dear PgAdmin Community,

I am writing to report a potential security issue with the permissions set in the PgAdmin installation directory.

After installing PgAdmin, I observed that several directories, including 'bin', 'venv', and 'web', have 775 permissions. Here are the details of the directory permissions:

Given the broad access provided by 775 permissions, there is a concern about the potential for unauthorized access or modifications. 

I would like to ask if these permissions are necessary for PgAdmin's operation or if they could be tightened to enhance security.

Your guidance on this matter would be greatly appreciated.

Thank you for your attention to this issue.

What platform and package is this exactly? 

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com

Hi Everyone,

Any update regarding the issue.

Thanks
Qasim

On Mon, Jun 3, 2024 at 10:46 AM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

On Sat, Jun 1, 2024 at 8:34 PM Dave Page <dpage@pgadmin.org> wrote:

Akshay, could you or one of the team look into this please?

I am looking into this issue 

Thanks.

On Fri, 31 May 2024 at 23:27, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Hi,
Platform and package details are below

Platform: Rocky 8.9

pgadmin version:  8.7

Regards

Qasim

On Sat, Jun 1, 2024 at 3:09 AM Dave Page <dpage@pgadmin.org> wrote:

Hi

On Thu, 30 May 2024 at 23:17, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Dear PgAdmin Community,

I am writing to report a potential security issue with the permissions set in the PgAdmin installation directory.

After installing PgAdmin, I observed that several directories, including 'bin', 'venv', and 'web', have 775 permissions. Here are the details of the directory permissions:

Given the broad access provided by 775 permissions, there is a concern about the potential for unauthorized access or modifications. 

I would like to ask if these permissions are necessary for PgAdmin's operation or if they could be tightened to enhance security.

Your guidance on this matter would be greatly appreciated.

Thank you for your attention to this issue.

What platform and package is this exactly? 

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com

Hi Everyone,

Any update regarding the issue.

Thanks
Qasim

On Mon, Jun 3, 2024 at 10:46 AM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

On Sat, Jun 1, 2024 at 8:34 PM Dave Page <dpage@pgadmin.org> wrote:

Akshay, could you or one of the team look into this please?

I am looking into this issue 

Thanks.

On Fri, 31 May 2024 at 23:27, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Hi,
Platform and package details are below

Platform: Rocky 8.9

pgadmin version:  8.7

Regards

Qasim

On Sat, Jun 1, 2024 at 3:09 AM Dave Page <dpage@pgadmin.org> wrote:

Hi

On Thu, 30 May 2024 at 23:17, Qasim Tahir <qasimtahir.qt1@gmail.com> wrote:

Dear PgAdmin Community,

I am writing to report a potential security issue with the permissions set in the PgAdmin installation directory.

After installing PgAdmin, I observed that several directories, including 'bin', 'venv', and 'web', have 775 permissions. Here are the details of the directory permissions:

Given the broad access provided by 775 permissions, there is a concern about the potential for unauthorized access or modifications. 

I would like to ask if these permissions are necessary for PgAdmin's operation or if they could be tightened to enhance security.

Your guidance on this matter would be greatly appreciated.

Thank you for your attention to this issue.

What platform and package is this exactly? 

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com

--

Dave Page

pgAdmin: https://www.pgadmin.org

PostgreSQL: https://www.postgresql.org

EDB: https://www.enterprisedb.com