Re: Spoofing as the postmaster

Brendan Jurd wrote:
> On Dec 23, 2007 12:20 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > Gurjeet Singh wrote:
> > > On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > > This way, if the attacker has control of even one interface (and
> > > optionally the local socket) that the clients are expected to connect to,
> > > the postmaster wouldn't start and the attacker won't have any traffic to
> > > peek into.
> >
> > Yes, that would fix the problem I mentioned but at that point the
> > attacker already has passwords so they can just connect themselves.
> > Having the server fail if it can't get one interface makes the server
> > less reliable.
>
> It doesn't solve the spoofing attack problem, but isn't Gurjeet's idea
> a good one in any case?
>
> If the postmaster can't bind on one of the specified interfaces, then
> at the least, haven't you got got a serious configuration error the
> sysadmin would want to know about? Having postmaster fail seems like
> a sensible response.
>
> "I can't start with the configuration you've given me, so I won't
> start at all" is fairly normal behaviour for a server process, no?

Yes, we have talked about this in the past and there were concerns that
that the server might have some network problem that would prevent
binding on all interfaces, particularly IPv6.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +