Package: postgresql-13 Version: 13.7-0+deb11u1 Severity: normal Tags: security X-Debbugs-Cc: johannes.dr...@nfon.com, Debian Security Team <t...@security.debian.org>
Hi everyone, first of all this should not be a grave security issue, but one that might be exploitable nonetheless. I noticed that the package when installed creates the configuration files in /etc as owned by the postgres user, which also executes the binary. As far as I'm informed neither binaries nor configurations should be owned and thus writeable by the service user, unless there's good reasons to do so. ATM I fail to see the good reason to make the whole config directory writeable by the service user. My proposal would be to let all directories and files be owned by root, with postgres as group and the permissions being 0755/0644 or (in case of files with secrets) 0640. If there is good reasons to go the way it is atm, I'd love to be given a link to the reasoning in the documentation, if there's any. Thank you very much in advance JD -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-12-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE, TAINT_SOFTLOCKUP Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages postgresql-13 depends on: ii debconf [debconf-2.0] 1.5.77 ii libc6 2.31-13+deb11u3 ii libgcc-s1 10.2.1-6 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libicu67 67.1-7 ii libldap-2.4-2 2.4.57+dfsg-3 ii libllvm11 1:11.0.1-2 ii libpam0g 1.4.0-9+deb11u1 ii libpq5 13.7-0+deb11u1 ii libselinux1 3.1-3 ii libssl1.1 1.1.1n-0+deb11u2 ii libstdc++6 10.2.1-6 ii libsystemd0 247.3-7 ii libuuid1 2.36.1-8+deb11u1 ii libxml2 2.9.10+dfsg-6.7+deb11u1 ii libxslt1.1 1.1.34-4 ii locales 2.31-13+deb11u3 ii postgresql-client-13 13.7-0+deb11u1 ii postgresql-common 225 ii ssl-cert 1.1.0+nmu1 ii tzdata 2021a-1+deb11u2 ii zlib1g 1:1.2.11.dfsg-2+deb11u1 Versions of packages postgresql-13 recommends: ii sysstat 12.5.2-2 postgresql-13 suggests no packages. -- debconf information: postgresql-13/postrm_purge_data: true