Re: logfile subprocess and Fancy File Functions

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Thinking we have security because they can't guess
> > pgdata seems like security through obscurity to me.
>
> Sure, but it's still a useful roadblock to throw in an attacker's way.
>
> I spent many years doing computer security stuff, and one thing I
> learned is that the more layers of security you can have, the better.
> You don't put all your faith in any one roadblock; you erect a series
> of them that an attacker will have to break through all of.  If some
> of 'em are a little porous, that doesn't make 'em useless.
>
> In today's context, I think the main point of requiring an attacker
> to guess $PGDATA is that it helps avoid the "software monoculture"
> syndrome.  If someone did manage to write a Postgres-based virus that
> involved an exploit in this area, it could only spread to machines
> that had the $PGDATA value the virus writer was expecting.

As a super-user, could an attacker load a server-side language and
access the backend environment variable PGDATA.  Also look at this:

  test=> CREATE FUNCTION "xxx_call_handler" () RETURNS language_handler AS '$libdir/pltcl' LANGUAGE C;
  ERROR:  could not find function "xxx_call_handler" in file "/usr/var/local/postgres/lib/pltcl.so"

Notice the expansion of "$libdir".

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073