PostgreSQL runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. Red Hat provides scripts for starting the database server during system boot and for initializing the database. These implementations use file names that the database superuser can replace with symbolic links. As root, the scripts open(), chmod() and/or chown() the log and data files. These issues often suffice for the database superuser to escalate to root privileges when root starts the server or initializes the database.
Red Hat initialization and setup scripts for postgresql have race condition vulnerabilities that may enable the escalation of privileges from the postgres user account to root. For Red Hat Enterprise Linux 6 and earlier, the start action in the postgresql.init script has the following piece of code: touch "$PGLOG" || exit 4 chown postgres:postgres "$PGLOG" chmod go-rwx "$PGLOG" An attacker accessing the postgres user account could change the targeted log file (PGLOG) to one with root permissions. Similar pieces of code can be found in many other parts of the script (e.g, in the initdb action, for the data folder creation). The postgresql packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7 are susceptible during the initdb and update actions (through the postgresql-setup script). Once administrators do not perform initdb and update actions very often, the impact of this flaw can be considered lower for Red Hat Enterprise Linux 7 and Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7. Mitigations could be the dropping of the root privileges right at the beginning of the scripts.
Statement: Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Acknowledgments: Name: Pedro Barbosa (Red Hat), the PostgreSQL project Upstream: Antoine Scemama (Brainloop)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3402
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3403
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3404
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3405 https://access.redhat.com/errata/RHSA-2017:3405