[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4713472.KTmzpNTf6I@devil>
Date: Sun, 07 Dec 2014 20:38:39 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: gremlin@...mlin.ru
Subject: Re: postgresql: pg_dump creates world-readable dump
On Sunday 07 December 2014 20:26:41 gremlin@...mlin.ru wrote:
> Only if that user is allowed to enter the directory where the dump
> is stored, etc.
>
> > In my opinion it deserves a cve.
>
> Misconfiguration != vulnerability.
Time ago we assigned CVEs for world-readable logs produced by webservers in
e.g. /var/log/$webserver/file.log .
Nobody thought that make chmod o-r to the directory was the solution because
is only a workaround.
I think that we have a similar scenario.
And I think it is more logical produce a dump with mode 600 instead of force
million users to chmod the directory.
--
Agostino Sarubbo
Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
