oss-sec mailing list archives
Re: postgresql: pg_dump creates world-readable dump
From: Agostino Sarubbo <ago () gentoo org>
Date: Sun, 07 Dec 2014 20:38:39 +0100
On Sunday 07 December 2014 20:26:41 gremlin () gremlin ru wrote:
Only if that user is allowed to enter the directory where the dump is stored, etc. > In my opinion it deserves a cve. Misconfiguration != vulnerability.
Time ago we assigned CVEs for world-readable logs produced by webservers in e.g. /var/log/$webserver/file.log . Nobody thought that make chmod o-r to the directory was the solution because is only a workaround. I think that we have a similar scenario. And I think it is more logical produce a dump with mode 600 instead of force million users to chmod the directory. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- postgresql: pg_dump creates world-readable dump Agostino Sarubbo (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump gremlin (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Agostino Sarubbo (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Robert Scheck (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Julien Cristau (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Robert Scheck (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump Julien Cristau (Dec 07)
- Re: postgresql: pg_dump creates world-readable dump gremlin (Dec 07)