Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Gurjeet Singh <singh(dot)gurjeet(at)gmail(dot)com>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 01:20:53
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Gurjeet Singh wrote:
> On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> >
> > It is possible for the attacker to use one of the interfaces (tcp or
> > unix domain) and wait for the postmaster to start.  The postmaster will
> > fail to start on the interface in use but will start on the other
> > interface and the attacker could route queries to the active postmaster
> > interface.
> >
> >
> I am not very conversant with networking, but I see a possibly simple
> solution. Why not refuse to start the postmaster if we are unable to bind
> with any of the interfaces (all that are specified in  the conf file).
>     This way, if the attacker has control of even one interface (and
> optionally the local socket) that the clients are expected to connect to,
> the postmaster wouldn't start and the attacker won't have any traffic to
> peek into.

Yes, that would fix the problem I mentioned but at that point the
attacker already has passwords so they can just connect themselves. 
Having the server fail if it can't get one interface makes the server
less reliable.

  Bruce Momjian  <bruce(at)momjian(dot)us>

  + If your life is a hard drive, Christ can be your backup. +

In response to


pgsql-hackers by date

Next:From: Brendan JurdDate: 2007-12-23 02:07:05
Subject: Re: Spoofing as the postmaster
Previous:From: Gurjeet SinghDate: 2007-12-23 01:15:22
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group