Re: Potential Security Issue: Permissions in PgAdmin Installation Directory

On Sat, Jun 1, 2024 at 8:34 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Akshay, could you or one of the team look into this please?
>
I am looking into this issue

>
> Thanks.
>
> On Fri, 31 May 2024 at 23:27, Qasim Tahir <qasimtahir(dot)qt1(at)gmail(dot)com>
> wrote:
>
>> Hi,
>> Platform and package details are below
>>
>> Platform: *Rocky 8.9*
>> *pgadmin *version*: 8.7*
>>
>> Regards
>> Qasim
>>
>> On Sat, Jun 1, 2024 at 3:09 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>
>>> Hi
>>>
>>> On Thu, 30 May 2024 at 23:17, Qasim Tahir <qasimtahir(dot)qt1(at)gmail(dot)com>
>>> wrote:
>>>
>>>> Dear PgAdmin Community,
>>>>
>>>> I am writing to report a potential security issue with the permissions
>>>> set in the PgAdmin installation directory.
>>>>
>>>> After installing PgAdmin, I observed that several directories,
>>>> including 'bin', 'venv', and 'web', have 775 permissions. Here are the
>>>> details of the directory permissions:
>>>> [image: image.png]
>>>>
>>>> Given the broad access provided by 775 permissions, there is a concern
>>>> about the potential for unauthorized access or modifications.
>>>>
>>>>
>>>> I would like to ask if these permissions are necessary for PgAdmin's
>>>> operation or if they could be tightened to enhance security.
>>>>
>>>> Your guidance on this matter would be greatly appreciated.
>>>>
>>>> Thank you for your attention to this issue.
>>>>
>>>
>>> What platform and package is this exactly?
>>>
>>> --
>>> Dave Page
>>> pgAdmin: https://www.pgadmin.org
>>> PostgreSQL: https://www.postgresql.org
>>> EDB: https://www.enterprisedb.com
>>>
>>>
>
> --
> Dave Page
> pgAdmin: https://www.pgadmin.org
> PostgreSQL: https://www.postgresql.org
> EDB: https://www.enterprisedb.com
>
>