Re: [HACKERS] Possible make_oidjoins_check Security Issue

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Neil Conway <neilc@samurai.com>, Rod Taylor <pg@rbt.ca>, PostgreSQL-patches <pgsql-patches@postgresql.org>
Date: 2004-11-03T23:34:19Z
Lists: pgsql-hackers
Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> I think Tom's fix adequately addresses the security concerns. Exactly
>> what is wrong with writing to the current working directory?

> Because it could be run from a directory where others have write
> permission.

In which case, they could also change the findoidjoins script itself.
I think your fix is *less* secure than what you replaced.

However, I've already wasted more than enough time on this issue...
I'm done arguing about it.

			regards, tom lane