Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 7 Dec 2014 20:26:41 +0300
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: postgresql: pg_dump creates world-readable dump

On 2014-12-07 16:49:47 +0100, Agostino Sarubbo wrote:

 > I just discovered that pg_dump creates the database dump with
 > world readable permission (644 to be exactly).

The keyword is "creates".

 > I provided to inform upstream about, and this was the response:
 > On Sunday 07 December 2014 10:34:19 Noah Misch wrote:
 >> You presumably have umask 0022. Like most programs, pg_dump
 >> does not constrain modes of files it creates; adjust your umask
 >> for that.

Have you followed the advise? Did it helped?

 > A local user is able to copy it and discover sensitive data.

Only if that user is allowed to enter the directory where the dump
is stored, etc.

 > In my opinion it deserves a cve.

Misconfiguration != vulnerability.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.