Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)

Поиск
Список
Период
Сортировка
От Selena Deckelmann
Тема Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Дата
Msg-id CAN1EF+zvd+ywykY6P=Sm2p-vcC3OYqKeTmvqNP145gQXxD3Zig@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)  (Bruce Momjian <bruce@momjian.us>)
Ответы Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)  (Douglas J Hunley <doug.hunley@gmail.com>)
Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)  (Thom Brown <thom@linux.com>)
Список pgsql-advocacy
Дерево обсуждения



On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/

It is interesting how they try to combine the write ability to a web
server or postgres .profile file;  I find the .profile particularly
nasty.

Yup. It's maybe an argument for chroot'ing the server to the $PGDATA directory. I realize that's probably not reasonable for stuff like extensions right now.

Also, a related best practice is keeping track of all the files that are in home directories of privileged users with something like Puppet or Chef -- so even if an attacker *does* overwrite a file like this, automation will wipe it out.

-selena
 
--
http://chesnok.com

В списке pgsql-advocacy по дате отправления:

Предыдущее
От: Bruce Momjian
Дата:
Сообщение: Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Следующее
От: Douglas J Hunley
Дата:
Сообщение: Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)