Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
6 views
Skip to first unread message
Robert Bernier
Apr 11, 2013, 10:51:01 AM4/11/13
to
Comments?
http://blog.blackwinghq.com/2013/04/08/2/
Robert Bernier
--
Sent via pgsql-advocacy mailing list (pgsql-a...@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-advocacy
http://blog.blackwinghq.com/2013/04/08/2/
Robert Bernier
--
Sent via pgsql-advocacy mailing list (pgsql-a...@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-advocacy
Bruce Momjian
Apr 11, 2013, 11:05:51 AM4/11/13
to
On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/
It is interesting how they try to combine the write ability to a web
server or postgres .profile file; I find the .profile particularly
nasty.
--
Bruce Momjian <br...@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/
It is interesting how they try to combine the write ability to a web
server or postgres .profile file; I find the .profile particularly
nasty.
--
Bruce Momjian <br...@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
Selena Deckelmann
Apr 11, 2013, 1:15:34 PM4/11/13
to
On Thu, Apr 11, 2013 at 8:05 AM, Bruce Momjian <br...@momjian.us> wrote:
On Thu, Apr 11, 2013 at 07:51:01AM -0700, Robert Bernier wrote:
> Comments?
>
> http://blog.blackwinghq.com/2013/04/08/2/
It is interesting how they try to combine the write ability to a web
server or postgres .profile file; I find the .profile particularly
nasty.
Yup. It's maybe an argument for chroot'ing the server to the $PGDATA directory. I realize that's probably not reasonable for stuff like extensions right now.
Also, a related best practice is keeping track of all the files that are in home directories of privileged users with something like Puppet or Chef -- so even if an attacker *does* overwrite a file like this, automation will wipe it out.
-selena
http://chesnok.com
Douglas J Hunley
Apr 11, 2013, 1:19:54 PM4/11/13
to
On Thu, Apr 11, 2013 at 1:15 PM, Selena Deckelmann <sel...@chesnok.com> wrote:
Also, a related best practice is keeping track of all the files that are in home directories of privileged users
I would hope people have tripwire/aide/et al configured to watch for these sorts of things already
--
Douglas J Hunley (doug....@gmail.com)
Twitter: @hunleyd Web: douglasjhunley.com
G+: http://goo.gl/sajR3
Douglas J Hunley (doug....@gmail.com)
Twitter: @hunleyd Web: douglasjhunley.com
G+: http://goo.gl/sajR3
Thom Brown
Apr 11, 2013, 1:24:54 PM4/11/13
to
--
Thom
0 new messages