Re: WAL file location

Bruce Momjian <pgman@candle.pha.pa.us>

From: Bruce Momjian <pgman@candle.pha.pa.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Andrew Sullivan <andrew@libertyrms.info>, Thomas Lockhart <lockhart@fourpalms.org>, PostgreSQL Hackers List <pgsql-hackers@postgresql.org>
Date: 2002-07-30T18:37:12Z
Lists: pgsql-hackers
In my logic, we have PGDATA environment variable for the server only so
the server can find the /data directory.  After that, everything should
be in /data.  I see no reason to make it an environment variable.

In fact, a file in /data should be able to track the xlog directory a
lot better than an evironment variable will.


---------------------------------------------------------------------------

Tom Lane wrote:
> Andrew Sullivan <andrew@libertyrms.info> writes:
> > On Tue, Jul 30, 2002 at 02:05:57PM -0400, Tom Lane wrote:
> >> If we add more environment-variable-dependent mechanisms to allow more
> >> different things to be done, we increase substantially the odds of
> >> creating an exploitable security hole.
> 
> > Ok, true enough, but I'm not sure that a config file or any other
> > such mechanism is any safer.  As Lamar Owen said, anyone who can
> > poison the postgres user's environment can likely do evil things to
> > postgresql.conf as well.
> 
> Who said anything about poisoning the environment?  My point was that
> there will be strings in the environment that were put there perfectly
> legitimately, but could still serve as an attack vehicle.
> 
> The weakness of the existing database-locations-are-environment-variables
> feature is really that the attacker gets to choose which environment
> variable gets used, and so he can use a variable intended to serve
> purpose A for some other purpose B.  If A and B are sufficiently
> different then you got trouble --- and since we are talking about a
> purpose B that involves writing on something, there's definitely a risk.
> 
> A mechanism based only on a fixed environment variable name doesn't
> create the sort of threat I'm contemplating.  For example, if the
> postmaster always and only looked at $PGXLOG to find the xlog then
> you'd not have this type of risk.  But Thomas said he was basing the
> feature on database locations, and in the absence of seeing the code
> I don't know if he's creating a security hole or not.
> 
> 			regards, tom lane
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026