Re: SECURITY: psql allows symlink games in /tmp
| От | Andrew Bartlett |
|---|---|
| Тема | Re: SECURITY: psql allows symlink games in /tmp |
| Дата | |
| Msg-id | 3A1F0ADA.4E21940A@pcug.org.au обсуждение исходный текст |
| Список | pgsql-hackers |
Andrew Bartlett wrote: > > This code in psql/command.c allows *any* system user to place a > predictably named symbolic link in /tmp and use it to alter/destroy > files owned by the user running psql. (tested - postgresql 7.0.2). > > All the information a potential attacker would need are available via a > simple 'ps'. > > It might (untested) also allow an another user to exploit the race > between the closing of the file by the editor and the re-reading of its > contents to execute arbitrary SQL commands. > > IMHO these files, if they must be created in /tmp should at least be > created O_EXCL, but there are still editor vulnerabilities with opening > any files in a world writeable directory (see recent joe Vulnerability: > http://lwn.net/2000/1123/a/sec-joe.php3) > > My system is RedHat 6.2 on an i686, with Postgresql 7.0.2 but the same > code currently exists in CVS (or at least CVS-web). > > I am not subscribed to this list, so please CC me for replies. (Also > tell me if there is a more appropriate forum for this, but > www.postgresql.org doesn't have a listed security issue address). > -- > Andrew Bartlett > abartlet@pcug.org.au Sorry, forgot to inlude the offending code.... (This is part of do_edit, called from edit_file and the \e query buffer editing fuction) if (filename_arg) fname = filename_arg; else { /* make a temp file to edit */ #ifndef WIN32 mode_t oldumask; const char *tmpdirenv = getenv("TMPDIR"); sprintf(fnametmp, "%s/psql.edit.%ld.%ld", tmpdirenv ? tmpdirenv : "/tmp", (long) geteuid(), (long) getpid()); #else GetTempFileName(".", "psql", 0, fnametmp); #endif fname = (const char *) fnametmp; #ifndef WIN32 oldumask = umask(0177); #endif stream = fopen(fname, "w"); #ifndef WIN32 umask(oldumask); #endif -- Andrew Bartlett abartlet@pcug.org.au
В списке pgsql-hackers по дате отправления: