Обсуждение: pg_settings.sourcefile patch is a security breach

Поиск
Список
Период
Сортировка

pg_settings.sourcefile patch is a security breach

От
Tom Lane
Дата:
We go to some lengths to prevent non-superusers from examining
data_directory and other values that would tell them exactly where the
PG data directory is in the server's filesystem.  The recently applied
patch to expose full pathnames of GUC variables' source files blows a
hole a mile wide in that.

Possible answers: don't show the path, only the file name; or
show sourcefile/sourceline as NULL to non-superusers.
        regards, tom lane

Re: pg_settings.sourcefile patch is a security breach

От
Magnus Hagander
Дата:
Tom Lane wrote:
> We go to some lengths to prevent non-superusers from examining
> data_directory and other values that would tell them exactly where the
> PG data directory is in the server's filesystem.  The recently applied
> patch to expose full pathnames of GUC variables' source files blows a
> hole a mile wide in that.
> 
> Possible answers: don't show the path, only the file name; or
> show sourcefile/sourceline as NULL to non-superusers.

My vote goes for showing it as NULL to non-superusers. If we remove the
path, that makes it pretty darn useless for admin tools - which was the
main reason it was added in the first place..

And "showing full path for superuser, just filename for non-superusers"
just seems to be way too ugly to consider :-)

//Magnus

Re: pg_settings.sourcefile patch is a security breach

От
Magnus Hagander
Дата:
Magnus Hagander wrote:
> Tom Lane wrote:
>> We go to some lengths to prevent non-superusers from examining
>> data_directory and other values that would tell them exactly where the
>> PG data directory is in the server's filesystem.  The recently applied
>> patch to expose full pathnames of GUC variables' source files blows a
>> hole a mile wide in that.
>>
>> Possible answers: don't show the path, only the file name; or
>> show sourcefile/sourceline as NULL to non-superusers.
> 
> My vote goes for showing it as NULL to non-superusers. If we remove the
> path, that makes it pretty darn useless for admin tools - which was the
> main reason it was added in the first place..
> 
> And "showing full path for superuser, just filename for non-superusers"
> just seems to be way too ugly to consider :-)

I've applied a patch that does this.

//Magnus