Re: Spoofing as the postmaster

Mark Mielke wrote:
> Andrew Dunstan wrote:
>> D'Arcy J.M. Cain wrote:
>>> - 1: How does the client assure that the postmaster is legit
>>> - 2: How does the postmaster assure that the client is legit
>> And neither answers the original problem:
>> 3. How can the sysadmin prevent a malicious local user from hijacking
>> the sockets if the postmaster isn't running?
>> Prevention is much more valuable than ex post detection, IMNSHO.
>> Probably the first answer is not to run postgres on a machine with
>> untrusted users, but that's not always possible. Maybe we can't find
>> a simple cross-platform answer, but that doesn't mean we should not
>> look at platform-specific answers, at least for documentation.
> I thought this answer was already provided: Put the socket in a
> directory that is only writable by the database owner. The socket is
> created as part of the bind() process. I think this covers 90%+ of it,
> and is already in use by distributions. The only thing "better" this
> team could do would be to formalize it? The "serveruser=" db open
> parameter might be enough to lock it up tight if there is still a race
> condition on bind(). It's effectively a very cheap authentication
> mechanism that does not require expensive cryptographic operations.
>
>

It's in use by some distributions, hardly all, or even a majority. AFAIK
it's only in Debian + descendants.

Anyway, I think it could arguably make matters worse, not better, by
guaranteeing that the postmaster can start up even if the TCP socket has
been hijacked . That's why I suggested it might be useful to have a
switch that says don't start if any interface fails to bind (which was
the old pre-8.0 behaviour).

It might well be useful for us to look at drafting an SELinux policy,
even if it's not universal. After all, this situation is precisely the
sort of thing that SELinux is about, ISTM.

cheers

andrew