Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>, Bernard <bht(at)actrix(dot)gen(dot)nz>, Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-bugs(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org
Subject: Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a
Date: 2005-08-19 14:00:04
Message-ID: 20050819140004.GC6226@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-general

On Fri, Aug 19, 2005 at 09:15:52AM -0400, Stephen Frost wrote:
> Personally, I do like the idea of a user-level 'copy server-side files'
> permission that could be granted to reduce the need for things to run as
> superuser.

There is one important point though: The server copying things is
seriously restricted. No matter how much authentication you do, the
server cannot *become* you. Hence it cannot access your files unless
they are world readable.

For similar reasons, it cannot prevent the user from accessing the
postgresql system files since it *is* the postgresql user and that
cannot be changed. The UNIX way around this would be for the client to
open the file with its permissions and then pass the FD to the server.
But that's a rather interesting twist that only works on local sockets.

> I'd probably still set up a SECURITY DEFINER function to a
> user with those permissions as an additional layer of security but it'd
> be nice to not have to run the function as superuser.

Superuser is still limited by the system uid, that can't be changed.

> It is, of course, good to note that current Postgres 'md5' auth method
> usage means that a compromise of pg_shadow (pg_authid) gives the
> attacker superuser access immediately (the hash itself is the actual
> authentication token, the password isn't actually interesting in that
> case).

It's a compromise solution. Normal authentication (aka shadow file):
server has only hash but password is in clear over the wire. MD5 auth:
server knows the password (or enough to spoof) but it's not in the
clear over the wire. Pick your poison...

For true security use public key auth (certificates / keys / etc).

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2005-08-19 14:14:23 Re: BUG #1835: pg_trigger_tgrelid_tgname_index
Previous Message Greg Sabino Mullane 2005-08-19 13:56:39 Re: BUG #1831: plperl gives error after reconnect.

Browse pgsql-general by date

  From Date Subject
Next Message Nigel Horne 2005-08-19 14:15:44 Re: Stored functions
Previous Message Tom Lane 2005-08-19 13:56:36 Re: Stored functions