| From: | Selena Deckelmann <selena(at)chesnok(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Robert Bernier <robert(at)pg-live(dot)info>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Date: | 2013-04-11 17:15:34 |
| Message-ID: | CAN1EF+zvd+ywykY6P=Sm2p-vcC3OYqKeTmvqNP145gQXxD3Zig@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> > Comments?
> >
> > http://blog.blackwinghq.com/2013/04/08/2/
>
> It is interesting how they try to combine the write ability to a web
> server or postgres .profile file; I find the .profile particularly
> nasty.
>
Yup. It's maybe an argument for chroot'ing the server to the $PGDATA
directory. I realize that's probably not reasonable for stuff like
extensions right now.
Also, a related best practice is keeping track of all the files that are in
home directories of privileged users with something like Puppet or Chef --
so even if an attacker *does* overwrite a file like this, automation will
wipe it out.
-selena
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Douglas J Hunley | 2013-04-11 17:19:54 | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |
| Previous Message | Bruce Momjian | 2013-04-11 15:05:51 | Re: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com) |