Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 7 Dec 2014 20:31:27 +0100
From: Robert Scheck <robert@...oraproject.org>
To: oss-security@...ts.openwall.com
Subject: Re: postgresql: pg_dump creates world-readable dump

Hello Agostino,

On Sun, 07 Dec 2014, Agostino Sarubbo wrote:
> I just discovered that pg_dump creates the database dump with world readable 
> permission (644 to be exactly).

I think you got tricked by either umask or an existing file that was
already created with other permissions before, because here it looks
like this:

$ pg_dump --version
pg_dump (PostgreSQL) 9.3.5
$

$ umask 
0022
$ pg_dump postgres > postgres1.sql
$ ls -l postgres1.sql
-rw-r--r--. 1 postgres postgres 902 Dec  7 20:17 postgres1.sql
$ 

$ umask 0077
$ umask 
0077
$ pg_dump postgres > postgres2.sql
$ ls -l postgres2.sql
-rw-------. 1 postgres postgres 902 Dec  7 20:17 postgres2.sql
$ 

But: 

$ touch postgres3.sql
$ chmod 644 postgres3.sql
$ pg_dump postgres > postgres3.sql
$ ls -l postgres3.sql
-rw-r--r--. 1 postgres postgres 902 Dec  7 20:17 postgres3.sql
$

> In my opinion it deserves a cve.

I do not know which behaviour you are exactly seeing (and for which
version of PostgreSQL) but above seems absolutely fine to me.

Robert

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.