| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)2ndquadrant(dot)com> |
| Cc: | Daniel Vérité <daniel(dot)verite(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: file_fdw target file ownership |
| Date: | 2013-09-09 20:29:36 |
| Message-ID: | 26397.1378758576@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)2ndquadrant(dot)com> writes:
> On 2013-09-09 21:41:00 +0200, Daniel Vrit wrote:
>> Tom Lane writes:
>>> That would only stop symlink attacks, not hardlink variants;
>> The creation of the hardlink is denied by the OS based on the
>> attacker not having sufficient permissions to the target file.
> It only requires search privileges, doesn't it?
Yeah, it would be a mistake to assume that the OS will prevent a hardlink
operation based on file ownership. Even if some OSes behave that way,
it's far from universal.
It's true that an attacker has to be able to name the target file to do a
hardlink, so if he lacks search privileges on a parent directory then he
can't hardlink (but he can still mount a symlink attack, if he knows what
the path name would be). So preventing the symlink variant would help for
the particular case of a PG server key stored inside $PGDATA. But it
doesn't seem to me that that's enough coverage to call it a solution.
People sometimes keep server keys elsewhere, for instance.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2013-09-09 20:30:17 | Re: lcr v5 - introduction of InvalidCommandId |
| Previous Message | Andres Freund | 2013-09-09 19:58:12 | Re: file_fdw target file ownership |