Re: SSL over Unix-domain sockets

* Alvaro Herrera <alvherre(at)commandprompt(dot)com> [080115 07:24]:
> Tom Lane wrote:
>
> > It strikes me that given the postmaster's infrastructure for listening
> > on multiple sockets, it would be a pretty small matter of programming
> > to teach it to listen on socket files in multiple directories not only
> > one.
>
> The problem with this idea is that if the postmaster goes away, both
> sockets go away, which means the attacker can place his socket in /tmp
> as he sees fit.

So, make your postmaster listen in a secure location (i.e.
/var/run/postgresl/.s.PGSQL.5432), and have some init script that runs
*before* your attacker put a symlink in /tmp/s.PGSQL.5432 pointing to
it. This "init" script could even be the normal system postgres init
script.

As long as your symlink is made before your attacker get's a chance to
run anything, your attacker can't change/replace it (or you have more
serious problems), and your "safe" location is protected while you've
stopped the postmaster by normal unix permisions.

I don't think we need to go off trying to build anything new. A little
bit of documentation mentioning that creating/removing the socket from
/tmp can lead to a possible spoofed situation is all you need. Normal
unix permissions can solve the problem completely.

a.

--
Aidan Van Dyk Create like a god,
aidan(at)highrise(dot)ca command like a king,
http://www.highrise.ca/ work like a slave.