Enhance security permissions
Ranier Vilela <ranier.vf@gmail.com>
From: Ranier Vilela <ranier.vf@gmail.com>
To: Pg Hackers <pgsql-hackers@postgresql.org>
Date: 2025-11-04T12:20:53Z
Lists: pgsql-hackers
Attachments
- enhance-security-file-permissions-be-secure-common.patch (application/octet-stream) patch
- enhance-security-file-permissions-fe-connect.patch (application/octet-stream) patch
- enhance-security-file-permissions-fe-secure-openssl.patch (application/octet-stream) patch
- enhance-security-file-permissions-pg_backup_tar.patch (application/octet-stream) patch
Hi. I noticed this while checking the source (src/interfaces/libpq/fe-connect.c). It seems that S_IRWXU permission is harmful too. In accord with [1] and [2] this should also be checked. Also, all other places in the source, S_IRWXU are checked. So, I propose adding this check to enhance the security. Maybe the error messages, do they need improvement as well? patchs attached. best regards, Ranier Vilela [1] https://docs.aws.amazon.com/codeguru/detector-library/cpp/loose-file-permissions/ [2] https://www.exploit-db.com/exploits/33145