Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: "Brendan Jurd" <direvus(at)gmail(dot)com>
To: "Bruce Momjian" <bruce(at)momjian(dot)us>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, "Tomasz Ostrowski" <tometzky(at)batory(dot)org(dot)pl>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 03:04:14
Message-ID: 37ed240d0712221904n371fa3e4k897b0506727aa7c8@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Dec 23, 2007 1:25 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> I have written documentation for this item:
>
>         http://momjian.us/tmp/pgsql/server-shutdown.html#SERVER-SPOOFING
>
> Comments?

I thought the content made sense, but the location didn't.  I wouldn't
expect to find instructions on configuring Postgres for secure
operation under a section about how to shut the server down.

I realise that in order for the exploit to occur, the server must be
shut down (or not yet started), but unless a user already knows about
the way the exploit works, how will they know to look for info about
it here?

IMO by putting this guidance under "Shutting Down" you're going to
hurt the chances of anyone stumbling across it.  I doubt you'd get
many users reading "Shutting Down" at all because in most cases, it's
an easy or obvious thing to do (initscripts provided by package and
pg_ctl are self-explanatory).

Regards,
BJ

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2007-12-23 05:36:31
Subject: Re: Spoofing as the postmaster
Previous:From: Bruce MomjianDate: 2007-12-23 02:25:03
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group