oss-sec mailing list archives
Re: postgresql: pg_dump creates world-readable dump
From: gremlin () gremlin ru
Date: Sun, 7 Dec 2014 20:26:41 +0300
On 2014-12-07 16:49:47 +0100, Agostino Sarubbo wrote:
I just discovered that pg_dump creates the database dump with world readable permission (644 to be exactly).
The keyword is "creates".
I provided to inform upstream about, and this was the response: On Sunday 07 December 2014 10:34:19 Noah Misch wrote:You presumably have umask 0022. Like most programs, pg_dump does not constrain modes of files it creates; adjust your umask for that.
Have you followed the advise? Did it helped?
A local user is able to copy it and discover sensitive data.
Only if that user is allowed to enter the directory where the dump is stored, etc.
In my opinion it deserves a cve.
Misconfiguration != vulnerability. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Current thread:
- postgresql: pg_dump creates world-readable dump Agostino Sarubbo (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump gremlin (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Agostino Sarubbo (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Robert Scheck (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Julien Cristau (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Robert Scheck (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Julien Cristau (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump gremlin (Dec 07)