From: | Andrew Bartlett <abartlet(at)pcug(dot)org(dot)au> |
---|---|
To: | abartlet(at)pcug(dot)org(dot)au, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: SECURITY: psql allows symlink games in /tmp |
Date: | 2000-11-25 00:42:02 |
Message-ID: | 3A1F0ADA.4E21940A@pcug.org.au |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Andrew Bartlett wrote:
>
> This code in psql/command.c allows *any* system user to place a
> predictably named symbolic link in /tmp and use it to alter/destroy
> files owned by the user running psql. (tested - postgresql 7.0.2).
>
> All the information a potential attacker would need are available via a
> simple 'ps'.
>
> It might (untested) also allow an another user to exploit the race
> between the closing of the file by the editor and the re-reading of its
> contents to execute arbitrary SQL commands.
>
> IMHO these files, if they must be created in /tmp should at least be
> created O_EXCL, but there are still editor vulnerabilities with opening
> any files in a world writeable directory (see recent joe Vulnerability:
> http://lwn.net/2000/1123/a/sec-joe.php3)
>
> My system is RedHat 6.2 on an i686, with Postgresql 7.0.2 but the same
> code currently exists in CVS (or at least CVS-web).
>
> I am not subscribed to this list, so please CC me for replies. (Also
> tell me if there is a more appropriate forum for this, but
> www.postgresql.org doesn't have a listed security issue address).
> --
> Andrew Bartlett
> abartlet(at)pcug(dot)org(dot)au
Sorry, forgot to inlude the offending code....
(This is part of do_edit, called from edit_file and the \e query buffer
editing fuction)
if (filename_arg)
fname = filename_arg;
else
{
/* make a temp file to edit */
#ifndef WIN32
mode_t oldumask;
const char *tmpdirenv = getenv("TMPDIR");
sprintf(fnametmp, "%s/psql.edit.%ld.%ld",
tmpdirenv ? tmpdirenv : "/tmp",
(long) geteuid(), (long) getpid());
#else
GetTempFileName(".", "psql", 0, fnametmp);
#endif
fname = (const char *) fnametmp;
#ifndef WIN32
oldumask = umask(0177);
#endif
stream = fopen(fname, "w");
#ifndef WIN32
umask(oldumask);
#endif
--
Andrew Bartlett
abartlet(at)pcug(dot)org(dot)au
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2000-11-25 01:15:30 | Are pg_control contents really variable-length? |
Previous Message | Lamar Owen | 2000-11-25 00:41:46 | Re: OK, that's one LOCALE bug report too many... |