Re: Spoofing as the postmaster

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Gurjeet Singh <singh(dot)gurjeet(at)gmail(dot)com>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 01:20:53
Message-ID: 200712230120.lBN1Kr200833@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Gurjeet Singh wrote:
> On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> >
> > It is possible for the attacker to use one of the interfaces (tcp or
> > unix domain) and wait for the postmaster to start. The postmaster will
> > fail to start on the interface in use but will start on the other
> > interface and the attacker could route queries to the active postmaster
> > interface.
> >
> >
> I am not very conversant with networking, but I see a possibly simple
> solution. Why not refuse to start the postmaster if we are unable to bind
> with any of the interfaces (all that are specified in the conf file).
>
> This way, if the attacker has control of even one interface (and
> optionally the local socket) that the clients are expected to connect to,
> the postmaster wouldn't start and the attacker won't have any traffic to
> peek into.

Yes, that would fix the problem I mentioned but at that point the
attacker already has passwords so they can just connect themselves.
Having the server fail if it can't get one interface makes the server
less reliable.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Brendan Jurd 2007-12-23 02:07:05 Re: Spoofing as the postmaster
Previous Message Gurjeet Singh 2007-12-23 01:15:22 Re: Spoofing as the postmaster