Re: [HACKERS] SSL over Unix-domain sockets

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Date: 2008-01-17 02:58:11
Message-ID: 200801170258.m0H2wBd17777@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

Bruce Momjian wrote:
> Tom Lane wrote:
> > Conclusions:
> >
> > * SSL, even without real authentication, is *way* too expensive to
> > enable by default.
> >
> > * The extra cost of going across a local TCP connection is measurable,
> > but it's insignificant compared to the cost of turning on SSL. (This
> > is on a Fedora 8 kernel BTW ... that result might vary on other
> > platforms.)
> >
> > So you could make a pretty good case that the answer for DBAs who
> > want to prevent spoofing is to disable socket connections in pg_hba.conf
> > and force even local connections to come through "hostssl" connections.
>
> Yea, I figured using protected directories for the socket was the
> zero-cost solution, and if you have to do SSL, might as well just use
> TCP too. (If you moved the socket file to a protected directory I think
> you could use external_pid_file='/tmp/.s.PGSQL.5432' to prevent a spoof
> socket file in /tmp. Should we document that idea?)

I did some research on this. external_pid_file will not prevent the
server from starting. If the lock file exists it just generates an
entry in the log file:

postmaster: could not write external PID file "/tmp/x": Permission denied

Looking at the threat matrix, we have:

Server Client Server Up? Spoofable?
/tmp /tmp Y N
/tmp /tmp N Y
$HOME $HOME Y N
$HOME $HOME N N
$HOME /tmp Y N
$HOME /tmp N Y

Basically, if you use a user-specific directory for the server socket
file ($HOME) and an external_pid_file, the only way for the client to be
spoofed is for the client to be using /tmp _and_ for the server to be
down.

I assume most new applications will be tested while the server is up and
therefore will fail and the client will be fixed.

I have written the following documentation addition suggesting the use
of external_pid_file.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Attachment Content-Type Size
/rtmp/diff text/x-diff 1.8 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Marc G. Fournier 2008-01-17 05:52:50 Re: postgresql in FreeBSD jails: proposal
Previous Message Andreas Pflug 2008-01-17 00:06:59 Re: Postgresql Materialized views

Browse pgsql-patches by date

  From Date Subject
Next Message Marc G. Fournier 2008-01-17 05:52:50 Re: postgresql in FreeBSD jails: proposal
Previous Message Tom Lane 2008-01-17 01:19:27 Proposed patch for renaming constraints along with indexes