Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
| От | Bruce Momjian |
|---|---|
| Тема | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Дата | |
| Msg-id | 20130411191244.GF6028@momjian.us обсуждение исходный текст |
| Ответ на | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) (Thom Brown <thom@linux.com>) |
| Список | pgsql-advocacy |
On Thu, Apr 11, 2013 at 06:24:54PM +0100, Thom Brown wrote: > On 11 April 2013 18:15, Selena Deckelmann <selena@chesnok.com> wrote: > > > > > > > > On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote: > >> > >> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote: > >> > Comments? > >> > > >> > http://blog.blackwinghq.com/2013/04/08/2/ > >> > >> It is interesting how they try to combine the write ability to a web > >> server or postgres .profile file; I find the .profile particularly > >> nasty. > > > > > > Yup. It's maybe an argument for chroot'ing the server to the $PGDATA > > directory. I realize that's probably not reasonable for stuff like > > extensions right now. > > > > Also, a related best practice is keeping track of all the files that are in > > home directories of privileged users with something like Puppet or Chef -- > > so even if an attacker *does* overwrite a file like this, automation will > > wipe it out. > > Couldn't you deny write-access to .profile to the postgres user? You could, but they could create .bashrc, .bash_profile, or .bash_logout, which would cause the same problem. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
В списке pgsql-advocacy по дате отправления: