Date: Sun, 07 Dec 2014 20:38:39 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: gremlin@...mlin.ru Subject: Re: postgresql: pg_dump creates world-readable dump On Sunday 07 December 2014 20:26:41 gremlin@...mlin.ru wrote: > Only if that user is allowed to enter the directory where the dump > is stored, etc. > > > In my opinion it deserves a cve. > > Misconfiguration != vulnerability. Time ago we assigned CVEs for world-readable logs produced by webservers in e.g. /var/log/$webserver/file.log . Nobody thought that make chmod o-r to the directory was the solution because is only a workaround. I think that we have a similar scenario. And I think it is more logical produce a dump with mode 600 instead of force million users to chmod the directory. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.