| From: | Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk> |
|---|---|
| To: | "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Specification of "/" in the host name (for Unix socket support) |
| Date: | 2003-09-16 13:31:00 |
| Message-ID: | 20030916143100.A26377@bacon |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 14/09/2003 01:16 Oliver Jowett wrote:
> On Sat, Sep 13, 2003 at 05:28:03PM +0100, Paul Thomas wrote:
> > You can hide the port from the outside world with a firewall and
> configure
> > PostgreSQL to only accept tcp/ip connections for 127.0.0.1. And if
> packet
> > sniffing on the loopback interface is a concern, is SSL not secure
> enough?
> > Having said that, I'm not sure if the JDBC driver supports SSL ATM but
> > even without it the security argument (as opposed to a dogmatic policy
> > stance) looks very weak to me which is why I initially discounted it.
>
> The current driver does support SSL. I'm not sure what certificate
> management is like under this setup, but from past SSL experiences it's
> going to be "interesting".
>
> However, the simple solution to "I don't want the outside world to see
> the
> server" is "don't listen on TCP/IP, then". Firewalls and tweaking
> postgresql's host-based ACLs would work .. if configured and maintained
> correctly .. but they are hardly the simplest solution and are more
> likely
> to go wrong.
If your firewall goes wrong, I think you've got more fundamental problems
that exposing port 5432! As for configuring, even a simple tool like
Lokkit will do the job.
>
> Also user authentication becomes interesting if you want to do access
> control based on the local user's identity (quite likely when you're
> running
> the client on the same machine as the server). You're going to have to
> run
> an ident server at a minimum (more stuff to configure, firewall, and
> maintain, and another point of failure as the DB relies on it). Unix
> sockets
> can use SCM_CREDENTIALS to pass user information in a much simpler way.
> And
> you can set filesystem-based (user/group) permissions on a unix socket,
> something you can't do with a TCP/IP listener.
>
Well, if all of this is a must-have then Java is probably the wrong
language to use.
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sergio Ramos | 2003-09-16 14:58:34 | Connection refused. HELP ME!!!! |
| Previous Message | Paul Thomas | 2003-09-16 12:56:15 | Re: Specification of "/" in the host name (for Unix socket support) |