Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Andrew Sullivan <ajs(at)crankycanuck(dot)ca>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Spoofing as the postmaster
Date: 2007-12-29 17:34:59
Message-ID: 47768543.9040101@mark.mielke.cc (view raw or flat)
Thread:
Lists: pgsql-hackers
Andrew Dunstan wrote:
> D'Arcy J.M. Cain wrote:
>>  - 1:  How does the client assure that the postmaster is legit
>>  - 2:  How does the postmaster assure that the client is legit   
> And neither answers the original problem:
> 3. How can the sysadmin prevent a malicious local user from hijacking 
> the sockets if the postmaster isn't running?
> Prevention is much more valuable than ex post detection, IMNSHO.
> Probably the first answer is not to run postgres on a machine with 
> untrusted users, but that's not always possible. Maybe we can't find a 
> simple cross-platform answer, but that doesn't mean we should not look 
> at platform-specific answers, at least for documentation.
I thought this answer was already provided: Put the socket in a 
directory that is only writable by the database owner. The socket is 
created as part of the bind() process. I think this covers 90%+ of it, 
and is already in use by distributions. The only thing "better" this 
team could do would be to formalize it? The "serveruser=" db open 
parameter might be enough to lock it up tight if there is still a race 
condition on bind(). It's effectively a very cheap authentication 
mechanism that does not require expensive cryptographic operations.

There is probably value to making SSL consistent for TCP/UNIX sockets as 
Tom suggests. Removing the inconsistency as it were, and allowing for 
SSL authentication and encryption for UNIX sockets the same as for TCP 
sockets. If it was as simple as removing an if statement that would be 
even cooler... :-)

What has come out for me is that this isn't UNIX socket specific at all 
(although there may be UNIX socket specific options available). The 
standard PostgreSQL port is above 1024, and anybody could 
bind()/listen()/accept() on it, assuming it is not running. This is 
where your first answer of running PostgreSQL on a machine with trusted 
users comes in as a sensible recommendation, even if only some people 
are willing to accept this recommendation. :-)

Cheers,
mark

-- 
Mark Mielke <mark(at)mielke(dot)cc>

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2007-12-29 18:00:20
Subject: Re: Spoofing as the postmaster
Previous:From: Stephen FrostDate: 2007-12-29 16:37:41
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group