Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Bruce Momjian <bruce(at)momjian(dot)us>, Brendan Jurd <direvus(at)gmail(dot)com>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 22:09:21
Message-ID: 15985.1198447761@sss.pgh.pa.us (view raw, whole thread or download thread mbox)
Thread:
Lists: pgsql-hackers
Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl> writes:
> So I'm not very fond of this "insecure by default, it's your problem
> to make it secure" attitude. I'm the one who reported this.

IIRC, you started out your argument by also saying that we had to move
the TCP socket to the reserved range, so as to prevent the equivalent
problem in the TCP case.  (And, given the number of clients such as
JDBC that can only connect via TCP, it certainly seems there's little
point in changing the socket case if we don't change the TCP case.)

So let's look at the implications:

1. Postmaster must be started as root, thereby introducing security
risks of its own (ie, after breaking into the DB, an attacker might be
able to re-acquire root privileges).

2. Can only have one postmaster per machine (ICANN is certainly not
going to give us dozens of reserved addresses).

3. Massive confusion and breakage as various people transition to the
new standard at different times.

4. Potential to create, rather than remove, spoofing opportunities
anyplace there is confusion about which port the postmaster is really
listening on.

And at the end of the day there are still any number of ways to
configure your system insecurely...

Fundamentally these are man-in-the-middle attacks, and the only real
solution is mutual authentication.  Pretending that some quick-fix
change eliminates that class of problem is a recipe for building systems
that are less secure, not more so.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Martijn van OosterhoutDate: 2007-12-23 22:18:28
Subject: Re: Spoofing as the postmaster
Previous:From: Tom LaneDate: 2007-12-23 21:43:54
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group