Re: Spoofing as the postmaster

On Sun, 23 Dec 2007, Tom Lane wrote:

> IIRC, you started out your argument by also saying that we had to move
> the TCP socket to the reserved range, so as to prevent the equivalent
> problem in the TCP case.
>
> 1. Postmaster must be started as root, thereby introducing security
> risks of its own (ie, after breaking into the DB, an attacker might be
> able to re-acquire root privileges).

Not at all, as it won't run as root, it'll just start as root and
then give up all root privileges. The only thing it would have after
being root is just an open socket.

> 2. Can only have one postmaster per machine (ICANN is certainly not
> going to give us dozens of reserved addresses).

I don't think ICANN would prevent anybody from using different port.
I'm running httpd on port 81, sshd on 222 etc. It's just the default
that should be made official through ICANN.

> 3. Massive confusion and breakage as various people transition to the
> new standard at different times.

As with any major version.

> 4. Potential to create, rather than remove, spoofing opportunities
> anyplace there is confusion about which port the postmaster is really
> listening on.

I agree. But because it would just not work it'll be easy to notice
and correct. And when corrected it would be no more confusion.

> Fundamentally these are man-in-the-middle attacks, and the only real
> solution is mutual authentication.

The problem is not many people expect man-in-the-middle attack on
secure lan, localhost or local socket connection, so they'll not try
to prevent it.

Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh