Re: Thoughts on the location of configuration files
| От | Mike Mascari |
|---|---|
| Тема | Re: Thoughts on the location of configuration files |
| Дата | |
| Msg-id | 3C205B08.30EDF894@mascari.com обсуждение исходный текст |
| Ответ на | Thoughts on the location of configuration files (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-hackers |
Tom Lane wrote: > > Lamar Owen <lamar.owen@wgcr.org> writes: > >> Seems to me that someone who thinks the executables should be root-owned > >> is likely to think the same of the config files. > > > Sorry to disappoint you :-). > > ... > > However, IMHO, for best security, the executables do need to be root owned. > > Or at least not owned/writable by the postgres user. Sure, that seems > like a good idea for a high-security installation. But I always thought > the motivation for that rule was to prevent someone who'd gained some > control of the program (eg via a buffer-overrun exploit) from expanding > his exploit by overwriting the executables with malicious code. If the > config files can be overwritten by the postgres user, then you still > have an avenue for an attacker to expand his privileges. Example: he > can trivially become postgres superuser after altering pg_hba.conf. One of the nice features of putting configuration files in /etc instead of /var is that some people like to mount the root filesystem (non-/var directories) read-only on a disc that is physically jumpered read-only, or some other read-only media. Its an attempt to prevent buffer exploits from modifying executables and configuration files, even if root is achieved. Of course, it wouldn't stop someone with destroying anything in /var, but it at least limits the potential damage in some meaningful way. Mike Mascari mascarm@mascari.com
В списке pgsql-hackers по дате отправления: