This list is widely known for dessiminating valuable security information -- and for being full disclosure. So, as the maintainer of the RPM set for PostgreSQL, I am making the following announcement about a security vulnerability in the RPM installation of PostgreSQL available to any local user of the machine running the 'postmaster' process. This vulnerability only involves PostgreSQL connection passwords. The backend process creates a flat-file copy of the pg_shadow username and password database called 'pg_pwd' -- due to an internal error this file is created mode '666'. This in itself is not good -- but the directory that this file resides in is by default mode '700', so it is not in itself a hole (although it is being fixed for version 7.0). HOWEVER, the RPM distribution up to version 6.5.3-1 had the directory (/var/lib/pgsql) in a highly insecure mode '755' condition. The latest RPMS (available right now at http://www.ramifordistat.net/postgres) fix this to mode '700'. The quick fix is to 'chmod 700 /var/lib/pgsql'. If this chmod is not done, or the new RPM not installed, any local user is able to read the pg_pwd file -- which contains plaintext username/password pairs. -- Lamar Owen RPM Package Maintainer, PostgreSQL Global Development Group
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:35 PDT