| From: | "Micha Mosiewicz" <mimo(at)lodz(dot)pdi(dot)net> |
|---|---|
| To: | todd brandys <brandys(at)eng3(dot)hep(dot)uiuc(dot)edu> |
| Cc: | scrappy(at)hub(dot)org, hackers(at)postgresql(dot)org |
| Subject: | Re: [HACKERS] Re: New pg_pwd patch and stuff |
| Date: | 1998-01-16 02:35:38 |
| Message-ID: | 34BEC77A.D836088C@lodz.pdi.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
todd brandys wrote:
>
> > Fork off the postgres process first, then authenticate inside of
> > there...which would get rid of the problem with pg_user itself being a
> > text file vs a relation...no?
>
> Yes, yes, yes. This is how authentication should be done (for HBA, etc.)
No, no, no! For security reasons, you can't fork (and exec)
unauthenticated processes. Especially HBA authentication should be done
to consume as low resources as possbile. Otherwise you open a giant door
for so infamously called Denial of Service attacks. Afterwards, every
hacker will know that to bring your system running postgres to it's
knees he just have to try to connect to 5432 port very frequently. "OK",
you might say, "I have this firewall". "OK", I say, "so what's that HBA
for?".
So it's the postmaster's role to deny as much connections as possible.
Unless we speak of non-execing postgres childs?
Mike
--
WWW: http://www.lodz.pdi.net/~mimo tel: Int. Acc. Code + 48 42 148340
add: Michal Mosiewicz * Bugaj 66 m.54 * 95-200 Pabianice * POLAND
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vadim B. Mikheev | 1998-01-16 03:30:22 | Re: [HACKERS] postgres performance |
| Previous Message | Thomas G. Lockhart | 1998-01-16 02:16:32 | Re: [HACKERS] Patch for glibc2 date problems |