Skip site navigation (1) Skip section navigation (2)

Re: SSL over Unix-domain sockets

From: Aidan Van Dyk <aidan(at)highrise(dot)ca>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>,Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SSL over Unix-domain sockets
Date: 2008-01-04 18:36:52
Message-ID: 20080104183652.GU7824@yugib.highrise.ca (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
* Bruce Momjian <bruce(at)momjian(dot)us> [080104 13:00]:

> > Actually, if you just commit that patch *without* pg_hba modifications,
> > it still solves the problem stated, no? Because the client can be
> > configured to require ssl and to require server certificate validation,
> > and that's the hole we're trying to plug here...
> 
> Yes, it would plug the hole without fully implementing SSL control on
> local sockets.  However, the hole is already plugged by using directory
> permissions so I question the need for a partial solution at this point
> in 8.3.

Yet we have respected people warning us that the *only* place we can
have the socket is /tmp, because that's where everybody (for varying
definitions of everybody) looks.  Moving the socket from /tmp actually
makes the problem of a spoofed postmaster bigger.

If you have a scheme to "move" or protect the unix socket, make sure you
still provide the one in /tmp.  A simple test looks like the
/tmp/.s.PGSQL.XXXX can be a symlink the socket in the protected dir, so
it may be enough for concerned admins to create this symlink (or the
actual socket with correct owner/permissions) on system startup,
preventing an "outsider" from taking this file before postgresql (and
make sure that no tmpwatch or anything removes it again).

But if PostgreSQL is started before your "untrusted user processes",
then your untrusted user processes should never get the chance to spoof
the server unless they get to mv/delete the postgres-user owned socket
in /tmp, in which case, you've got larger problems to worry about...

a.

-- 
Aidan Van Dyk                                             Create like a god,
aidan(at)highrise(dot)ca                                       command like a king,
http://www.highrise.ca/                                   work like a slave.

In response to

pgsql-hackers by date

Next:From: Tom LaneDate: 2008-01-04 19:09:59
Subject: Re: SSL over Unix-domain sockets
Previous:From: Richard HuxtonDate: 2008-01-04 18:29:07
Subject: Re: Problem with PgTcl auditing function on trigger

pgsql-patches by date

Next:From: Tom LaneDate: 2008-01-04 19:09:59
Subject: Re: SSL over Unix-domain sockets
Previous:From: Kevin GrittnerDate: 2008-01-04 18:16:13
Subject: OUTER JOIN performance regression remains in 8.3beta4

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group