Bug#1011516: postgresql-13: Config files owned by postgres user

Tue, 24 May 2022 04:03:21 -0700 

Package: postgresql-13
Version: 13.7-0+deb11u1
Severity: normal
Tags: security
X-Debbugs-Cc: johannes.dr...@nfon.com, Debian Security Team 
<t...@security.debian.org>

Hi everyone,

first of all this should not be a grave security issue, but one that
might be exploitable nonetheless. I noticed that the package when
installed creates the configuration files in /etc as owned by the
postgres user, which also executes the binary. As far as I'm informed
neither binaries nor configurations should be owned and thus writeable
by the service user, unless there's good reasons to do so. ATM I fail to
see the good reason to make the whole config directory writeable
by the service user.

My proposal would be to let all directories and files be owned by root,
with postgres as group and the permissions being 0755/0644 or (in case
of files with secrets) 0640. 

If there is good reasons to go the way it is atm, I'd love to be given a
link to the reasoning in the documentation, if there's any. 

Thank you very much in advance
JD


-- System Information:
Debian Release: 11.3
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-12-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE, TAINT_SOFTLOCKUP
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages postgresql-13 depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  libc6                  2.31-13+deb11u3
ii  libgcc-s1              10.2.1-6
ii  libgssapi-krb5-2       1.18.3-6+deb11u1
ii  libicu67               67.1-7
ii  libldap-2.4-2          2.4.57+dfsg-3
ii  libllvm11              1:11.0.1-2
ii  libpam0g               1.4.0-9+deb11u1
ii  libpq5                 13.7-0+deb11u1
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1n-0+deb11u2
ii  libstdc++6             10.2.1-6
ii  libsystemd0            247.3-7
ii  libuuid1               2.36.1-8+deb11u1
ii  libxml2                2.9.10+dfsg-6.7+deb11u1
ii  libxslt1.1             1.1.34-4
ii  locales                2.31-13+deb11u3
ii  postgresql-client-13   13.7-0+deb11u1
ii  postgresql-common      225
ii  ssl-cert               1.1.0+nmu1
ii  tzdata                 2021a-1+deb11u2
ii  zlib1g                 1:1.2.11.dfsg-2+deb11u1

Versions of packages postgresql-13 recommends:
ii  sysstat  12.5.2-2

postgresql-13 suggests no packages.

-- debconf information:
  postgresql-13/postrm_purge_data: true

Reply via email to