On Wed, Oct 29, 2014 at 10:52 AM, Andres Freund <and...@2ndquadrant.com> wrote: >> The larger point though is that this is just one of innumerable attack >> routes for anyone with the ability to make the server do filesystem reads >> or writes of his choosing. If you think that's something you can safely >> give to people you don't trust enough to make them superusers, you are >> wrong, and I don't particularly want to spend the next ten years trying >> to wrap band-aids around your misjudgment. > > ... but that doesn't necessarily address this point.
I think the question is "just how innumerable are those attack routes"? So, we can prevent a symlink from being used via O_NOFOLLOW. But what about hard links? In general, the hazard is that an untrusted user can induce the user to read or write a file that the user in question could not have read or written himself. It's not clear to me whether it's reasonably possible to build a system that is robust against such attacks, or not. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
