Re: file_fdw target file ownership

From: "Daniel =?ISO-8859-1?Q?V=E9rit=E9?=" <daniel(dot)verite(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: file_fdw target file ownership
Date: 2013-09-09 19:41:00
Message-ID: 87401d22-73dc-4320-8640-c72729547a95@mm
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane writes:

> Andres Freund <andres(at)2ndquadrant(dot)com> writes:

> > One would be to use open(O_NOFOLLOW)?
>
> That would only stop symlink attacks, not hardlink variants;
> and it'd probably stop some legitimate use-cases too.

The creation of the hardlink is denied by the OS based on the
attacker not having sufficient permissions to the target file.
In principle the mentioned loophole is limited to a symlink, which
is not restricted at create time.

Thinking a bit more about the scenario of the malicious writer,
I think the secure way to proceed for the superuser would be to
set up two directories, one with write permissions to the
producer of data, the other without.

The superuser would have to move the file from the writable
dir to the non-writable dir, before creating the foreign table. The
file itself should remain writable by the uploader if it's live data.
The data-producer has to be aware that updates happen
at a different path than uploads.

The problem is that it's really not intuitive. I can imagine unaware
admins implementing the insecure process without a second thought.

By contrast, if symlinks were followed only optionally, it would
be safer as a default choice and the installations that need symlinks could
still use something like:

CREATE FOREIGN TABLE (...) SERVER name
OPTIONS (symlink_allowed 'on', filename '/path/to/file', ...)

The mere existence of the option is a hint that there are consequences
to consider.

Best regards,
--
Daniel Vérité
PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2013-09-09 19:51:17 Re: strange IS NULL behaviour
Previous Message Tom Lane 2013-09-09 19:38:11 Re: [bug fix] strerror() returns ??? in a UTF-8/C database with LC_MESSAGES=non-ASCII