Skip site navigation (1) Skip section navigation (2)

Re: [HACKERS] SSL over Unix-domain sockets

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Date: 2008-01-18 10:38:23
Message-ID: 200801181138.23963.peter_e@gmx.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Am Freitag, 18. Januar 2008 schrieb Alvaro Herrera:
> I propose to create a dangling symlink on system startup in
> /tmp/.s.PGSQL.<port> to the real socket, which is not on a
> world-writable directory.  This avoids the spoofer, because he cannot
> create the socket -- the symlink is occupying its place.

This approaches the issue from the wrong end.  Spoofing attacks the client, so 
the defense must be in the client.  If the defense of the client is to rely 
on a carefully configured server, then that might exclude some possible 
attack vectors, but it is not a defense the client can rely on.

To look at this in another way, if we relied on every browser user to type in 
web addresses correctly and all server administrators to make sure 
their "socket address" cannot be hijacked, we wouldn't need SSL on the web.  
The proper approach, however, is to configure the client to only talk to 
servers that can prove their identity.

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/

In response to

pgsql-hackers by date

Next:From: Magnus HaganderDate: 2008-01-18 10:59:49
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Previous:From: Peter EisentrautDate: 2008-01-18 10:24:09
Subject: Re: [HACKERS] SSL over Unix-domain sockets

pgsql-patches by date

Next:From: Magnus HaganderDate: 2008-01-18 10:59:49
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Previous:From: Peter EisentrautDate: 2008-01-18 10:24:09
Subject: Re: [HACKERS] SSL over Unix-domain sockets

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group