Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
| От | Selena Deckelmann |
|---|---|
| Тема | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Дата | |
| Msg-id | CAN1EF+zvd+ywykY6P=Sm2p-vcC3OYqKeTmvqNP145gQXxD3Zig@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) (Bruce Momjian <bruce@momjian.us>) |
| Ответы |
Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Список | pgsql-advocacy |
On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote:
-- On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/
It is interesting how they try to combine the write ability to a web
server or postgres .profile file; I find the .profile particularly
nasty.
Yup. It's maybe an argument for chroot'ing the server to the $PGDATA directory. I realize that's probably not reasonable for stuff like extensions right now.
Also, a related best practice is keeping track of all the files that are in home directories of privileged users with something like Puppet or Chef -- so even if an attacker *does* overwrite a file like this, automation will wipe it out.
-selena
http://chesnok.com
В списке pgsql-advocacy по дате отправления: