Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)

From: Thom Brown <thom(at)linux(dot)com>
To: Selena Deckelmann <selena(at)chesnok(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Robert Bernier <robert(at)pg-live(dot)info>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org>
Subject: Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Date: 2013-04-11 17:24:54
Message-ID: CAA-aLv4A+xveCBQ59CjxJVqq3+Z1arCd4=3vR1=YtV1sVfYBKg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy

On 11 April 2013 18:15, Selena Deckelmann <selena(at)chesnok(dot)com> wrote:
>
>
>
> On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>
>> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
>> > Comments?
>> >
>> > http://blog.blackwinghq.com/2013/04/08/2/
>>
>> It is interesting how they try to combine the write ability to a web
>> server or postgres .profile file; I find the .profile particularly
>> nasty.
>
>
> Yup. It's maybe an argument for chroot'ing the server to the $PGDATA
> directory. I realize that's probably not reasonable for stuff like
> extensions right now.
>
> Also, a related best practice is keeping track of all the files that are in
> home directories of privileged users with something like Puppet or Chef --
> so even if an attacker *does* overwrite a file like this, automation will
> wipe it out.

Couldn't you deny write-access to .profile to the postgres user?

--
Thom

In response to

Responses

Browse pgsql-advocacy by date

  From Date Subject
Next Message Bruce Momjian 2013-04-11 19:12:44 Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Previous Message Douglas J Hunley 2013-04-11 17:19:54 Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)