Skip site navigation (1) Skip section navigation (2)

Re: Password requirement in windows installer

From: Gregory Stark <stark(at)enterprisedb(dot)com>
To: "Andrew Sullivan" <ajs(at)crankycanuck(dot)ca>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Password requirement in windows installer
Date: 2007-08-31 18:07:40
Message-ID: 87bqcn60ib.fsf@oxford.xeocode.com (view raw or flat)
Thread:
Lists: pgsql-hackers
"Andrew Sullivan" <ajs(at)crankycanuck(dot)ca> writes:

> On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote:
>> 
>> Is it easy to spoof where an incoming connection request is coming from?
>> Is there something else that makes ident on 127.0.0.1/32 insecure?
>
> It shouldn't be easy.  Ident uses TCP, which is rather harder to
> spoof.  

Say what? It's actually quite easy to spoof TCP. There are even command-line
tools to do it available in most Unix distributions.

> If someone can originate spoofed TCP packets from 127.0.0.1, you gots bigger
> problems than them being able to lie about the identity of a user.

Well yes, there are other insecure services which look at the originating ip
address. But hopefully fewer and fewer as time goes on. Once upon a time X was
a big target since most X servers shipped trusting 127.0.0.1 and you could
slip a request into the first data packet to trust other ip addresses which
made attacking it considerably easier. These days X doesn't use ip addresses
to handle authorization any more.

Also modern distributions, at least on Linux, tend to install ip filters to
block packets with source addresses like 127/8 coming from an external
interface. However even today I wouldn't be confident that all operating
systems do so or that they work correctly in all circumstances.

-- 
  Gregory Stark
  EnterpriseDB          http://www.enterprisedb.com

In response to

Responses

pgsql-hackers by date

Next:From: Andrew DunstanDate: 2007-08-31 18:26:01
Subject: Re: enum types and binary queries
Previous:From: Decibel!Date: 2007-08-31 17:58:36
Subject: Re: enum types and binary queries

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group