On 11/4/2025 6:20 AM, Ranier Vilela wrote: > Hi. > > I noticed this while checking the source (src/interfaces/libpq/fe- > connect.c). > It seems that S_IRWXU permission is harmful too. > > In accord with [1] and [2] this should also be checked. > Also, all other places in the source, S_IRWXU are checked. > > So, I propose adding this check to enhance the security. > > Maybe the error messages, do they need improvement as well? > > patchs attached. > > best regards, > Ranier Vilela > > [1] https://docs.aws.amazon.com/codeguru/detector-library/cpp/loose- > file-permissions/ <https://docs.aws.amazon.com/codeguru/detector- > library/cpp/loose-file-permissions/> > [2] https://www.exploit-db.com/exploits/33145 <https://www.exploit- > db.com/exploits/33145> I just took a glance an you enhance-security-file-permissions-be-secure-common.patch file...
I may be misunderstanding either your intent or what this code actually does, but it seems to me that the check rejects files if any of the tested bits are set.
Correct.
Doesn't adding S_IRWXU means rejecting files with any owner permissions, including S_IRUSR (owner read).
S_IRWXU on stat is "Mask for file owner permissions".
That would reject mode 0600, which is the documented and required permission for SSL key files.
I think no.
Mode 0000 would be the only thing that passes this check and we can't read that.
I believe your [1] reference is about overly permissive roles in creating files. We are validating existing ones.
Sorry, I think that [1] has wrong examples of this.
[2] has a more correct example.
We are validating files existing, created by others.
S_IRWXU file mode indicating readable, writable and executable by owner.
I think if the file is executable by the owner, He should be rejected, shouldn't he?
