Sunday, September 21, 2008

[HACKERS] pg_settings.sourcefile patch is a security breach

We go to some lengths to prevent non-superusers from examining
data_directory and other values that would tell them exactly where the
PG data directory is in the server's filesystem. The recently applied
patch to expose full pathnames of GUC variables' source files blows a
hole a mile wide in that.

Possible answers: don't show the path, only the file name; or
show sourcefile/sourceline as NULL to non-superusers.

regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

No comments: