Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 07 Dec 2014 20:38:39 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: gremlin@...mlin.ru
Subject: Re: postgresql: pg_dump creates world-readable dump

On Sunday 07 December 2014 20:26:41 gremlin@...mlin.ru wrote:
> Only if that user is allowed to enter the directory where the dump
> is stored, etc.
> 
>  > In my opinion it deserves a cve.
> 
> Misconfiguration != vulnerability.

Time ago we assigned CVEs for world-readable logs produced by webservers in 
e.g. /var/log/$webserver/file.log . 
Nobody thought that make chmod o-r to the directory was the solution because 
is only a workaround.

I think that we have a similar scenario.

And I think it is more logical produce a dump with mode 600 instead of force 
million users to chmod the directory.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.