| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Michael Fuhr <mike(at)fuhr(dot)org> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Bugtraq: Having Fun With PostgreSQL |
| Date: | 2007-06-17 02:42:55 |
| Message-ID: | 24660.1182048175@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Michael Fuhr <mike(at)fuhr(dot)org> writes:
> A message entitled "Having Fun With PostgreSQL" was posted to Bugtraq
> today. I haven't read through the paper yet so I don't know if the
> author discusses security problems that need attention or if the
> article is more like a compilation of "Stupid PostgreSQL Tricks."
> http://www.securityfocus.com/archive/1/471541/30/0/threaded
It appears he's discovered the astonishing facts that
1. The out-of-the-box authentication setup is "trust".
2. A superuser can make the database do whatever he wants (within
the OS privilege limits of the postgres user).
We've debated #1 before, and a lot of repackagers change it, but I
don't really feel a strong urge to change it in the source distro.
As for #2, that's not a bug, it's intended behavior.
regards, tom lane
PS: I skimmed the paper pretty fast, so it's possible I missed
something interesting, but it sure looked like "what else is new?"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeremy Drake | 2007-06-17 02:44:53 | Re: Bugtraq: Having Fun With PostgreSQL |
| Previous Message | Michael Fuhr | 2007-06-17 01:12:11 | Bugtraq: Having Fun With PostgreSQL |