Re: [INTERFACES] pg_pwd

On Fri, 19 Nov 1999, Tom Lane wrote:
> > in rh6.1 /var/lib/pgsql is 755 (and no, I haven't changed anything)
> > can you spell "2_KM_DIAMETER_HOLE" ?
> 
> In a standard setup, pg_pwd is inside .../pgsql/data which is mode 700.
> Have the RH guys really blown it this badly?  (Lamar?)

PGDATA is in fact 755 in the RPM installation.  pg_pwd is the only file 666
under this directory.

Since pg_pwd is not very well documented, it is kind of hard to figure out
the permissions -- however, it is simple enough to issue a security advisory
for people to chmod 0700 /var/lib/pgsql.

The change to mode 0700 for PGDATA (which is moving in the future) will be made
in future RPM's.  Again, no other file under /var/lib/pgsql under RH6.1 has
group or world permissions EXCEPT pg_pwd.

And yes, this IS a glaring security hole, IF the user postgres has a postgres
password.  Just WHY is pg_pwd mode 666 in the first place??

--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11