Skip site navigation (1) Skip section navigation (2)

Re: [HACKERS] SSL over Unix-domain sockets

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
Subject: Re: [HACKERS] SSL over Unix-domain sockets
Date: 2008-01-18 02:42:05
Message-ID: 479011FD.6040904@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches

Alvaro Herrera wrote:
> Andrew Dunstan wrote:
>   
>> Alvaro Herrera wrote:
>>     
>>> Andrew Dunstan wrote:
>>>
>>>   
>>>       
>>>> I agree. I remain of the opinion that this is not a problem than can be 
>>>> solved purely within the bounds of postgres.
>>>>         
>>> I agree.  Please comment on my proposed solution.
>>>       
>> I'm not sure tmp cleaners will work that well against a determined spoofer.
>>     
>
> I don't understand.  The tmp cleaner is something we have to _avoid_.
> Let me repeat my proposal.
>
> I propose to create a dangling symlink on system startup in
> /tmp/.s.PGSQL.<port> to the real socket, which is not on a
> world-writable directory.  This avoids the spoofer, because he cannot
> create the socket -- the symlink is occupying its place.
>
> The only problem with this proposal is that the tmp cleaner would remove
> the symlink.  The solution to this is to configure the tmp cleaner so
> that it doesn't do that.
>
> It absolutely requires cooperation from the sysadmin, both to setup the
> symlink initially, and to configure the tmp cleaner.
>   

Oh. I'm sorry. Yes, I think this would work.

cheers

andrew

In response to

pgsql-hackers by date

Next:From: Joshua D. DrakeDate: 2008-01-18 03:17:00
Subject: Re: Simple thing to make pg_autovacuum more useful
Previous:From: Bruce MomjianDate: 2008-01-18 02:24:26
Subject: Re: [HACKERS] SSL over Unix-domain sockets

pgsql-patches by date

Next:From: Stefan SchwarzerDate: 2008-01-18 06:00:52
Subject: Re: Forgot to dump old data before re-installing machine
Previous:From: Bruce MomjianDate: 2008-01-18 02:24:26
Subject: Re: [HACKERS] SSL over Unix-domain sockets

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group