| Lists: | pgsql-hackers |
|---|
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Fwd: init scripts and su |
| Date: | 2004-07-31 08:15:52 |
| Message-ID: | 200407311015.52359.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
For your amusement...
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: init scripts and su |
| Date: | 2004-08-06 04:43:54 |
| Message-ID: | 7009.1091767434@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> For your amusement...
> During the time between the daemon launch and it closing it's file
> handles and calling setsid(2) (which some daemons don't do because
> they are buggy) any other code running in the same UID could take over
> the process via ptrace, fork off a child process that inherits the
> administrator tty, and then stuff characters into the keyboard buffer
> with ioctl(fd,TIOCSTI,&c) (*).
(a) And there would be untrusted code running as postgres exactly why?
(b) Seems to me the real security bug here is the mere existence of that
ioctl call.
regards, tom lane
| From: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: init scripts and su |
| Date: | 2004-08-06 04:57:08 |
| Message-ID: | 41130FA4.1040902@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
>>During the time between the daemon launch and it closing it's file
>>handles and calling setsid(2) (which some daemons don't do because
>>they are buggy) any other code running in the same UID could take over
>>the process via ptrace, fork off a child process that inherits the
>>administrator tty, and then stuff characters into the keyboard buffer
>>with ioctl(fd,TIOCSTI,&c) (*).
>
>
> (a) And there would be untrusted code running as postgres exactly why?
>
> (b) Seems to me the real security bug here is the mere existence of that
> ioctl call.
I was asked on IRC just why we can't have user=postgres and
group=postgres in the postgresql.conf, and simply when we are run as
root, switch to that user and group.
Chris
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: init scripts and su |
| Date: | 2004-08-06 05:06:23 |
| Message-ID: | 7311.1091768783@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> writes:
> I was asked on IRC just why we can't have user=postgres and
> group=postgres in the postgresql.conf, and simply when we are run as
> root, switch to that user and group.
I should think that running as root up until sometime after we have read
postgresql.conf would open up more security issues. It's certainly not
a way to close this one...
regards, tom lane
| From: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: init scripts and su |
| Date: | 2004-08-06 09:50:54 |
| Message-ID: | 4113547E.9030409@pse-consulting.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> writes:
>
>>I was asked on IRC just why we can't have user=postgres and
>>group=postgres in the postgresql.conf, and simply when we are run as
>>root, switch to that user and group.
>
>
> I should think that running as root up until sometime after we have read
> postgresql.conf would open up more security issues. It's certainly not
> a way to close this one...
>
postmaster could use postgres/postgres by default, overridable by
command line.
Regards,
Andreas
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fwd: init scripts and su |
| Date: | 2004-08-09 08:17:02 |
| Message-ID: | 200408091017.02555.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> (a) And there would be untrusted code running as postgres exactly
> why?
Because someone has cracked the PostgreSQL server.
> (b) Seems to me the real security bug here is the mere existence of
> that ioctl call.
Probably. I'm just pointing out the findings about the environment
we're operating in. The fact is that right now "run as postgres to
protect your root account" won't work on some systems and with
unfortunately written init scripts.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/