| From: | "Brendan Jurd" <direvus(at)gmail(dot)com> |
|---|---|
| To: | "Bruce Momjian" <bruce(at)momjian(dot)us> |
| Cc: | "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, "Tomasz Ostrowski" <tometzky(at)batory(dot)org(dot)pl> |
| Subject: | Re: Spoofing as the postmaster |
| Date: | 2007-12-23 02:07:05 |
| Message-ID: | 37ed240d0712221807w6d6c0ffbib15b17aaa48b0482@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Dec 23, 2007 12:20 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> Gurjeet Singh wrote:
> > On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> > This way, if the attacker has control of even one interface (and
> > optionally the local socket) that the clients are expected to connect to,
> > the postmaster wouldn't start and the attacker won't have any traffic to
> > peek into.
>
> Yes, that would fix the problem I mentioned but at that point the
> attacker already has passwords so they can just connect themselves.
> Having the server fail if it can't get one interface makes the server
> less reliable.
It doesn't solve the spoofing attack problem, but isn't Gurjeet's idea
a good one in any case?
If the postmaster can't bind on one of the specified interfaces, then
at the least, haven't you got got a serious configuration error the
sysadmin would want to know about? Having postmaster fail seems like
a sensible response.
"I can't start with the configuration you've given me, so I won't
start at all" is fairly normal behaviour for a server process, no?
Regards,
BJ
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2007-12-23 02:10:38 | Re: Spoofing as the postmaster |
| Previous Message | Bruce Momjian | 2007-12-23 01:20:53 | Re: Spoofing as the postmaster |