Security implications of config-file-location patch

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Security implications of config-file-location patch
Date: 2004-10-08 01:55:32
Message-ID: 27029.1097200532@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

In prior versions of Postgres, it has never been possible to remotely
find out the data directory location being used by the postmaster
(at least not without hacking some C code, which only superusers may
do).

You can make about equally good arguments that this is a bug or that
it's a feature:

BUG: it would be handy to be able to find that out remotely, especially
when you are admin for many postmasters and have forgotten which is
which.

FEATURE: ordinary users should not need to know this, and knowing it
might aid blackhat users in attacking the server.

As of CVS tip, if you are using the config-file-location-changing
features, anybody can find out the data directory location via
"show pgdata"; and they can find out where you put the secondary
config files too, if it's not default. So we now have either a
feature or a bug.

If you consider it a feature then it's incomplete: it would be handy for
"show pgdata" to tell the truth all the time, whether you'd set the path
in postgresql.conf or not. Ditto for the config filename variables.

If you consider it a bug then CVS tip has a potential security
vulnerability that was never there before.

I am sort of on the fence about this. I am thinking that it would be
good to expose this information, but *only* to superusers. It would not
take much code to add a GUC variable flag bit that prevents
non-superusers from examining the value of the GUC variable, and only a
little more code to reflect the correct paths into these variables all
the time.

Comments, objections, better ideas? If I hear no objection I'll make it
work that way.

regards, tom lane

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2004-10-08 02:22:14 Re: Security implications of config-file-location patch
Previous Message Bruce Momjian 2004-10-08 00:38:57 Re: more dirmod CYGWIN