Re: file_fdw target file ownership

On 2013-09-09 21:41:00 +0200, Daniel Vérité wrote:
>    Tom Lane writes:
> 
> > Andres Freund <andres@2ndquadrant.com> writes:
> 
> > > One would be to use open(O_NOFOLLOW)?
> > 
> > That would only stop symlink attacks, not hardlink variants;
> > and it'd probably stop some legitimate use-cases too.
> 
> The creation of the hardlink is denied by the OS based on the
> attacker not having sufficient permissions to the target file.
> In principle the mentioned loophole is limited to a symlink, which
> is not restricted at create time.

It only requires search privileges, doesn't it?

andres@alap2:~$ ln /etc/shadow /tmp/frak
andres@alap2:~$ cat /tmp/frak
cat: /tmp/frak: Permission denied
andres@alap2:~$ ls -l /tmp/frak
-rw-r----- 2 root shadow 1652 Jun  4 22:05 /tmp/frak

There are patches around preventing that kind of thing, but they aren't
too widespread yet.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services