Re: postgresql: pg_dump creates world-readable dump

[gremlin () gremlin ru]

On 2014-12-07 16:49:47 +0100, Agostino Sarubbo wrote:

> I just discovered that pg_dump creates the database dump with
> world readable permission (644 to be exactly).

The keyword is "creates".

> I provided to inform upstream about, and this was the response:
> On Sunday 07 December 2014 10:34:19 Noah Misch wrote:
> > You presumably have umask 0022. Like most programs, pg_dump
> > does not constrain modes of files it creates; adjust your umask
> > for that.

Have you followed the advise? Did it helped?

> A local user is able to copy it and discover sensitive data.

Only if that user is allowed to enter the directory where the dump
is stored, etc.

> In my opinion it deserves a cve.

Misconfiguration != vulnerability.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net