From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Andres Freund <andres(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Directory/File Access Permissions for COPY and Generic File Access Functions |
Date: | 2014-10-29 15:52:43 |
Message-ID: | CA+Tgmoa8KrphYHi7Cpp9r0hrSYuFQtUJ8T-4yD6b12gXD2+qQA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Oct 29, 2014 at 11:34 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> The specifics actually depend on (on Linux, at least) the value of
> /proc/sys/fs/protected_hardlink, which has existed in upstream since 3.6
> (not sure about the RHEL kernels, though I expect they've incorporated
> it also at some point along the way).
>
> There is a similar /proc/sys/fs/protected_symlinks control for dealing
> with the same kind of time-of-check / time-of-use issues that exist with
> symlinks.
>
> At least on my Ubuntu 14.04 systems, these are both set to '1'.
Playing devil's advocate here for a minute, you're saying that
new-enough versions of Linux have an optional feature that prevents
this attack. I think an argument could be made that this is basically
unsecurable on any other platform, or even old Linux versions. And it
still doesn't protect against the case where you hardlink to a file
and then the permissions on that file are later changed.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2014-10-29 16:00:59 | Re: Directory/File Access Permissions for COPY and Generic File Access Functions |
Previous Message | Robert Haas | 2014-10-29 15:43:37 | Re: group locking: incomplete patch, just for discussion |