Skip site navigation (1) Skip section navigation (2)

Re: [HACKERS] SSL over Unix-domain sockets

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Date: 2008-01-17 02:58:11
Message-ID: 200801170258.m0H2wBd17777@momjian.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Bruce Momjian wrote:
> Tom Lane wrote:
> > Conclusions:
> > 
> > * SSL, even without real authentication, is *way* too expensive to
> > enable by default.
> > 
> > * The extra cost of going across a local TCP connection is measurable,
> > but it's insignificant compared to the cost of turning on SSL.  (This
> > is on a Fedora 8 kernel BTW ... that result might vary on other
> > platforms.)
> > 
> > So you could make a pretty good case that the answer for DBAs who
> > want to prevent spoofing is to disable socket connections in pg_hba.conf
> > and force even local connections to come through "hostssl" connections.
> 
> Yea, I figured using protected directories for the socket was the
> zero-cost solution, and if you have to do SSL, might as well just use
> TCP too.  (If you moved the socket file to a protected directory I think
> you could use external_pid_file='/tmp/.s.PGSQL.5432' to prevent a spoof
> socket file in /tmp.  Should we document that idea?)

I did some research on this.  external_pid_file will not prevent the
server from starting.  If the lock file exists it just generates an
entry in the log file:

	postmaster: could not write external PID file "/tmp/x": Permission denied

Looking at the threat matrix, we have:

	Server		Client		Server Up?	Spoofable?
	/tmp		/tmp		Y		N
	/tmp		/tmp		N		Y
	$HOME		$HOME		Y		N
	$HOME		$HOME		N		N
	$HOME		/tmp		Y		N
	$HOME		/tmp		N		Y

Basically, if you use a user-specific directory for the server socket
file ($HOME) and an external_pid_file, the only way for the client to be
spoofed is for the client to be using /tmp _and_ for the server to be
down.

I assume most new applications will be tested while the server is up and
therefore will fail and the client will be fixed.

I have written the following documentation addition suggesting the use
of external_pid_file.

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

Attachment: /rtmp/diff
Description: text/x-diff (1.8 KB)

In response to

Responses

pgsql-hackers by date

Next:From: Marc G. FournierDate: 2008-01-17 05:52:50
Subject: Re: postgresql in FreeBSD jails: proposal
Previous:From: Andreas PflugDate: 2008-01-17 00:06:59
Subject: Re: Postgresql Materialized views

pgsql-patches by date

Next:From: Marc G. FournierDate: 2008-01-17 05:52:50
Subject: Re: postgresql in FreeBSD jails: proposal
Previous:From: Tom LaneDate: 2008-01-17 01:19:27
Subject: Proposed patch for renaming constraints along with indexes

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group