Re: Spoofing as the postmaster

Bruce Momjian wrote:
> Brendan Jurd wrote:
>> On Dec 23, 2007 1:25 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>> I have written documentation for this item:
>>>
>>> http://momjian.us/tmp/pgsql/server-shutdown.html#SERVER-SPOOFING
>>>
>>> Comments?
>> I thought the content made sense, but the location didn't. I wouldn't
>> expect to find instructions on configuring Postgres for secure
>> operation under a section about how to shut the server down.
>>
>> I realise that in order for the exploit to occur, the server must be
>> shut down (or not yet started), but unless a user already knows about
>> the way the exploit works, how will they know to look for info about
>> it here?
>>
>> IMO by putting this guidance under "Shutting Down" you're going to
>> hurt the chances of anyone stumbling across it. I doubt you'd get
>> many users reading "Shutting Down" at all because in most cases, it's
>> an easy or obvious thing to do (initscripts provided by package and
>> pg_ctl are self-explanatory).
>
> Agreed. I moved it up to its own section:
>
> http://momjian.us/tmp/pgsql/preventing-server-spoofing.html
>
> I improved the wording slightly too.
>

The server doesn't need a root.crt certificate really - but it does need
the *server* certificate (server.key/server.crt). root.crt is only used
to verify *client* certificates, which is a different thing from what
you're outlining here.

Out of curiosity, does any of the other databases out there "solve" this
somehow? Or any non-databases too, really. To me this seems like a
general problem for *any* kind of server processes - at least any that
runs with port >1024 on Unix (and any at all on win32, since they don't
check the port number there).

//Magnus