Skip site navigation (1) Skip section navigation (2)

Re: Password requirement in windows installer

From: Gregory Stark <stark(at)enterprisedb(dot)com>
To: "Andrew Sullivan" <ajs(at)crankycanuck(dot)ca>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Password requirement in windows installer
Date: 2007-08-31 18:07:40
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers
"Andrew Sullivan" <ajs(at)crankycanuck(dot)ca> writes:

> On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote:
>> Is it easy to spoof where an incoming connection request is coming from?
>> Is there something else that makes ident on insecure?
> It shouldn't be easy.  Ident uses TCP, which is rather harder to
> spoof.  

Say what? It's actually quite easy to spoof TCP. There are even command-line
tools to do it available in most Unix distributions.

> If someone can originate spoofed TCP packets from, you gots bigger
> problems than them being able to lie about the identity of a user.

Well yes, there are other insecure services which look at the originating ip
address. But hopefully fewer and fewer as time goes on. Once upon a time X was
a big target since most X servers shipped trusting and you could
slip a request into the first data packet to trust other ip addresses which
made attacking it considerably easier. These days X doesn't use ip addresses
to handle authorization any more.

Also modern distributions, at least on Linux, tend to install ip filters to
block packets with source addresses like 127/8 coming from an external
interface. However even today I wouldn't be confident that all operating
systems do so or that they work correctly in all circumstances.

  Gregory Stark

In response to


pgsql-hackers by date

Next:From: Andrew DunstanDate: 2007-08-31 18:26:01
Subject: Re: enum types and binary queries
Previous:From: Decibel!Date: 2007-08-31 17:58:36
Subject: Re: enum types and binary queries

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group