Re: Specification of "/" in the host name (for Unix socket support)

From: Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk>
To: "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Specification of "/" in the host name (for Unix socket support)
Date: 2003-09-16 13:31:00
Message-ID: 20030916143100.A26377@bacon
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-jdbc

On 14/09/2003 01:16 Oliver Jowett wrote:
> On Sat, Sep 13, 2003 at 05:28:03PM +0100, Paul Thomas wrote:
> > You can hide the port from the outside world with a firewall and
> configure
> > PostgreSQL to only accept tcp/ip connections for And if
> packet
> > sniffing on the loopback interface is a concern, is SSL not secure
> enough?
> > Having said that, I'm not sure if the JDBC driver supports SSL ATM but
> > even without it the security argument (as opposed to a dogmatic policy
> > stance) looks very weak to me which is why I initially discounted it.
> The current driver does support SSL. I'm not sure what certificate
> management is like under this setup, but from past SSL experiences it's
> going to be "interesting".
> However, the simple solution to "I don't want the outside world to see
> the
> server" is "don't listen on TCP/IP, then". Firewalls and tweaking
> postgresql's host-based ACLs would work .. if configured and maintained
> correctly .. but they are hardly the simplest solution and are more
> likely
> to go wrong.

If your firewall goes wrong, I think you've got more fundamental problems
that exposing port 5432! As for configuring, even a simple tool like
Lokkit will do the job.

> Also user authentication becomes interesting if you want to do access
> control based on the local user's identity (quite likely when you're
> running
> the client on the same machine as the server). You're going to have to
> run
> an ident server at a minimum (more stuff to configure, firewall, and
> maintain, and another point of failure as the DB relies on it). Unix
> sockets
> can use SCM_CREDENTIALS to pass user information in a much simpler way.
> And
> you can set filesystem-based (user/group) permissions on a unix socket,
> something you can't do with a TCP/IP listener.

Well, if all of this is a must-have then Java is probably the wrong
language to use.

Paul Thomas
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants | |


Browse pgsql-jdbc by date

  From Date Subject
Next Message Sergio Ramos 2003-09-16 14:58:34 Connection refused. HELP ME!!!!
Previous Message Paul Thomas 2003-09-16 12:56:15 Re: Specification of "/" in the host name (for Unix socket support)