Date: Sun, 07 Dec 2014 16:49:47 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: postgresql: pg_dump creates world-readable dump Hello, I just discovered that pg_dump creates the database dump with world readable permission (644 to be exactly). I provided to inform upstream about, and this was the response: On Sunday 07 December 2014 10:34:19 Noah Misch wrote: > You presumably have umask 0022. Like most programs, pg_dump does not > constrain modes of files it creates; adjust your umask for that. A few > programs do otherwise; for example, ssh-keygen specifically constrains the > mode of new private key files. A database dump is not in such a special > category, so pg_dump should continue to do the standard thing. A local user is able to copy it and discover sensitive data. In my opinion it deserves a cve. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.