On Mon, Aug 19, 2013 at 11:34:47AM +0200, Dimitri Fontaine wrote:
Dave Page <dpage@pgadmin.org> writes:
If you find a hole in the boat, the preferred option is to fix it, not
to say "meh, well another won't hurt".
My understanding is that there's no way to fix it. If you're superuser
you have the keys to the kingdom. That's it.

And that's why it's very important that as many as possible of our
feature set works without requiring superuser.
That's pretty vague. Exactly what does "keys to the kingdom" mean? If
it means you can do anything to the database, you are right. If it
means executing arbitrary code, including arbitrary kernel calls, I
would like to hear how that is done.

Was writing into the postgres users's .profile and waiting for them to
log in what you were thinking of? You could also create a binary in
their home directory and have .profile run it. (I thought this was a
particularly creative exploit.)

   Bruce Momjian <bruce@momjian.us> http://momjian.us
   EnterpriseDB http://enterprisedb.com

   + It's impossible for everything to be true. +

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 12 of 14 | next ›
Discussion Overview
grouppgsql-hackers @
postedAug 17, '13 at 9:53p
activeAug 19, '13 at 11:42p



site design / logo © 2018 Grokbase