Re: Directory/File Access Permissions for COPY and Generic File Access Functions

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Wed, Oct 29, 2014 at 10:52 AM, Andres Freund <andres(at)2ndquadrant(dot)com> wrote:
> >> The larger point though is that this is just one of innumerable attack
> >> routes for anyone with the ability to make the server do filesystem reads
> >> or writes of his choosing. If you think that's something you can safely
> >> give to people you don't trust enough to make them superusers, you are
> >> wrong, and I don't particularly want to spend the next ten years trying
> >> to wrap band-aids around your misjudgment.
> >
> > ... but that doesn't necessarily address this point.
>
> I think the question is "just how innumerable are those attack
> routes"? So, we can prevent a symlink from being used via O_NOFOLLOW.
> But what about hard links?

You can't hard link to files you don't own.

sfrost(at)tamriel:/home/sfrost> ln /home/archive/xx.tar.gz
ln: failed to create hard link ?./xx.tar.gz? => ?/home/archive/xx.tar.gz?: Operation not permitted

> In general, the hazard is that an untrusted user can induce the user
> to read or write a file that the user in question could not have read
> or written himself. It's not clear to me whether it's reasonably
> possible to build a system that is robust against such attacks, or
> not.

There are certainly use-cases where the user executing the COPY doesn't
have any direct access to the filesystem at all but only through PG.
Taken to a bit of an extreme, you could say we already provide that
today. ;)

Thanks!

Stephen