[LWN Logo]

Date:         Thu, 2 Dec 1999 16:42:10 -0500
From: Lamar Owen <lamar.owen@WGCR.ORG>
Subject:      PostgreSQL RPM's permission problems
To: BUGTRAQ@SECURITYFOCUS.COM

This list is widely known for dessiminating valuable security
information -- and for being full disclosure.

So, as the maintainer of the RPM set for PostgreSQL, I am making the
following announcement about a security vulnerability in the RPM
installation of PostgreSQL available to any local user of the machine
running the 'postmaster' process.

This vulnerability only involves PostgreSQL connection passwords.  The
backend process creates a flat-file copy of the pg_shadow username and
password database called 'pg_pwd' -- due to an internal error this file
is created mode '666'.  This in itself is not good -- but the directory
that this file resides in is by default mode '700', so it is not in
itself a hole (although it is being fixed for version 7.0).

HOWEVER, the RPM distribution up to version 6.5.3-1 had the directory
(/var/lib/pgsql) in a highly insecure mode '755' condition.  The latest
RPMS (available right now at http://www.ramifordistat.net/postgres) fix
this to mode '700'.  The quick fix is to 'chmod 700 /var/lib/pgsql'.  If
this chmod is not done, or the new RPM not installed, any local user is
able to read the pg_pwd file -- which contains plaintext
username/password pairs.

--
Lamar Owen
RPM Package Maintainer, PostgreSQL Global Development Group