Skip site navigation (1) Skip section navigation (2)

server authentication over Unix-domain sockets

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Subject: server authentication over Unix-domain sockets
Date: 2010-05-30 11:00:03
Message-ID: 1275217203.12068.55.camel@vanquo.pezone.net (view raw or flat)
Thread:
Lists: pgsql-hackers
It has been discussed several times in the past that there is no way for
a client to authenticate a server over Unix-domain sockets.  So
depending on circumstances, a local user could easily insert his own
server and collect passwords and data.  Suggestions for possible
remedies included:

You can put the socket file in a sufficiently write-protected directory.
But that would strongly deviate from the default setup, and anyway the
client still cannot readily verify that the server is the right one.

You can also run SSL over Unix-domain sockets.  This is currently
disabled in the code, but it would work just fine.  But it's obviously
kind of awkward, and the connection overhead was noticeable in tests.

Then it was suggested to use the local "ident" mechanism in reverse, so
the client could verify what user the server runs under.  I have
implemented a prototype of this.  You can put, e.g.,

requirepeer=postgres

into the connection parameters, and the connection will be rejected
unless the process at the other end of the socket is running as
postgres.

The patch needs some portability work and possible refactoring because
of that, but before I embark on that, comments on the concept?


Attachment: serverauth-requirepeer.patch
Description: text/x-patch (5.2 KB)

Responses

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2010-05-30 11:36:57
Subject: Re: pg_trgm
Previous:From: Marko TiikkajaDate: 2010-05-30 10:54:17
Subject: Re: small exclusion constraints patch

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group