From: | Aidan Van Dyk <aidan(at)highrise(dot)ca> |
---|---|
To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: SSL over Unix-domain sockets |
Date: | 2008-01-15 13:54:46 |
Message-ID: | 20080115135446.GL21094@yugib.highrise.ca |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
* Alvaro Herrera <alvherre(at)commandprompt(dot)com> [080115 07:24]:
> Tom Lane wrote:
>
> > It strikes me that given the postmaster's infrastructure for listening
> > on multiple sockets, it would be a pretty small matter of programming
> > to teach it to listen on socket files in multiple directories not only
> > one.
>
> The problem with this idea is that if the postmaster goes away, both
> sockets go away, which means the attacker can place his socket in /tmp
> as he sees fit.
So, make your postmaster listen in a secure location (i.e.
/var/run/postgresl/.s.PGSQL.5432), and have some init script that runs
*before* your attacker put a symlink in /tmp/s.PGSQL.5432 pointing to
it. This "init" script could even be the normal system postgres init
script.
As long as your symlink is made before your attacker get's a chance to
run anything, your attacker can't change/replace it (or you have more
serious problems), and your "safe" location is protected while you've
stopped the postmaster by normal unix permisions.
I don't think we need to go off trying to build anything new. A little
bit of documentation mentioning that creating/removing the socket from
/tmp can lead to a possible spoofed situation is all you need. Normal
unix permissions can solve the problem completely.
a.
--
Aidan Van Dyk Create like a god,
aidan(at)highrise(dot)ca command like a king,
http://www.highrise.ca/ work like a slave.
From | Date | Subject | |
---|---|---|---|
Next Message | Doug Knight | 2008-01-15 14:09:15 | Re: Tuning Postgresql on Windows XP Pro 32 bit |
Previous Message | Markus Schiltknecht | 2008-01-15 13:38:07 | Re: Declarative partitioning grammar |
From | Date | Subject | |
---|---|---|---|
Next Message | Richard Huxton | 2008-01-15 14:04:24 | Re: Forgot to dump old data before re-installing machine |
Previous Message | Stefan Schwarzer | 2008-01-15 13:42:05 | Re: Forgot to dump old data before re-installing machine |