| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org, Martijn van Oosterhout <kleptog(at)svana(dot)org> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Subject: | Re: SSL over Unix-domain sockets |
| Date: | 2009-04-06 17:42:38 |
| Message-ID: | 200904062042.39318.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wednesday 01 April 2009 20:37:56 Martijn van Oosterhout wrote:
> On Tue, Mar 31, 2009 at 11:33:26PM +0300, Peter Eisentraut wrote:
> > On Saturday 28 March 2009 00:42:28 Bruce Momjian wrote:
> > > I assume directory permissions controlling access to the socket file
> > > would be enough. You are going to have to set up SSL certificates
> > > anyway for this so isn't that just as hard as telling the client where
> > > the socket file is located?
> >
> > The permissions on the socket file or the containing directory doesn't
> > tell much by itself, because you also need to consider who owns it. What
> > that basically comes down to is that the client would need to specify
> > something like, "I only want a connection to a server owned by
> > 'postgres'." But the client currently has no way of saying that, so we'd
> > need to invent something new.
>
> If you're going to get complicated, go the whole way do SO_PEERCRED on
> the socket, then you get the UID of the server...
I have added this to the Todo list.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2009-04-06 19:07:49 | Re: Fix for psql \d tab completion |
| Previous Message | Bruce Momjian | 2009-04-06 15:52:19 | Fix for psql \d tab completion |