| From: | Thom Brown <thom(at)linux(dot)com> |
|---|---|
| To: | Selena Deckelmann <selena(at)chesnok(dot)com> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Robert Bernier <robert(at)pg-live(dot)info>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Date: | 2013-04-11 17:24:54 |
| Message-ID: | CAA-aLv4A+xveCBQ59CjxJVqq3+Z1arCd4=3vR1=YtV1sVfYBKg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
On 11 April 2013 18:15, Selena Deckelmann <selena(at)chesnok(dot)com> wrote:
>
>
>
> On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>
>> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
>> > Comments?
>> >
>> > http://blog.blackwinghq.com/2013/04/08/2/
>>
>> It is interesting how they try to combine the write ability to a web
>> server or postgres .profile file; I find the .profile particularly
>> nasty.
>
>
> Yup. It's maybe an argument for chroot'ing the server to the $PGDATA
> directory. I realize that's probably not reasonable for stuff like
> extensions right now.
>
> Also, a related best practice is keeping track of all the files that are in
> home directories of privileged users with something like Puppet or Chef --
> so even if an attacker *does* overwrite a file like this, automation will
> wipe it out.
Couldn't you deny write-access to .profile to the postgres user?
--
Thom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2013-04-11 19:12:44 | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Previous Message | Douglas J Hunley | 2013-04-11 17:19:54 | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |