Skip site navigation (1) Skip section navigation (2)

Re: SSL over Unix-domain sockets

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SSL over Unix-domain sockets
Date: 2008-01-04 19:37:03
Message-ID: 200801041937.m04Jb3B20662@momjian.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Yes, it would plug the hole without fully implementing SSL control on
> > local sockets.  However, the hole is already plugged by using directory
> > permissions so I question the need for a partial solution at this point
> > in 8.3.
> 
> As already noted, "fix /tmp's directory permissions" isn't a very
> helpful suggestion.

Right, I was saying moving to a another directory, not chaning /tmp,
but you are right that some clients might still look in /tmp, and that
allows spoofing even when the postmaster is running.

> > At this point in 8.3 I think we have to ask if we would make such a
> > change in a minor release, and I don't think we would.
> 
> It depends on whether you call it a new feature or a bug fix.
> If it is a bug fix, wouldn't we also back-patch it?
> 
> Given the smallness of Peter's patch, I don't think that treating
> it as a bug fix is unreasonable, if that (and the docs) are all we
> change.  Now adding "localssl" etc to pg_hba.conf's options seems
> more like a new feature, and that I think should wait for 8.4.
> 
> One question is whether patching this without adding localssl
> (and therefore, without providing a way for the DBA to enforce
> SSL use) is actually very helpful.  You could be secure but you'd
> be depending on the client side to get it right.  OTOH that's true
> anyway if we have no way to enforce that the client verify the
> postmaster's certificate.

Well, if we are relying on the client we might as well tell clients to
use a new non-tmp socket location, and even with SSL we can't require
the client to check the postmaster's certificate, as you said.

If we trust the client, a new socket directory will work, but if we
don't, even SSL doesn't help us, right?  SSL was used for TCP only
because it allowed trusted clients to work.  We already have a unix
socket solution for trusted clients, namely a different directory.

The problem with adding SSL to local sockets is this slippery slope
where we only do part of the job, but it isn't clear where to draw the
line.

Should we wait and do the full job in 8.3.1?

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

Responses

pgsql-hackers by date

Next:From: Simon RiggsDate: 2008-01-04 19:38:24
Subject: Re: Dynamic Partitioning using Segment Visibility Maps
Previous:From: Tom LaneDate: 2008-01-04 19:09:59
Subject: Re: SSL over Unix-domain sockets

pgsql-patches by date

Next:From: Andrew SullivanDate: 2008-01-04 20:08:07
Subject: Re: SSL over Unix-domain sockets
Previous:From: Tom LaneDate: 2008-01-04 19:09:59
Subject: Re: SSL over Unix-domain sockets

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group