Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Gregory Stark <stark(at)enterprisedb(dot)com>
To: "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
Cc: "Bruce Momjian" <bruce(at)momjian(dot)us>, "PostgreSQL-development" <pgsql-hackers(at)postgreSQL(dot)org>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 07:57:07
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
"D'Arcy J.M. Cain" <darcy(at)druid(dot)net> writes:

> On Sat, 22 Dec 2007 09:25:05 -0500 (EST)
> Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>> I think at a minimum we need to add documentation that states if you
>> don't trust the local users on the postmaster server you should:
>> 	o  create unix domain socket files in a non-world-writable
>> 	   directory
>> 	o  require SSL server certificates for TCP connections
>> Ideas?  
> It's generally a bad idea to put your database on a public server
> anyway but if you do you should definitely disable unix domain sockets
> and connect over TCP to localhost.  That has been our rule for years.
> It's certainly a corner case.  I would think that warnings, perhaps in
> the config file itself, would be sufficient.

That seems like a terrible idea. At least while you're dealing with unix
domain sockets you know there's no way a remote user could possibly interfere
with or sniff your data. As soon as you're dealing with TCP it's a whole new

X famously had a problem on many OSes where you could spoof the first packet
(and if you could predict sequence numbers more than that) of a connection
allegedly coming from (it helped that a message to open up
connections from anywhere fit in one packet...) Modern OSes include network
filters to block such spoofs but it's one more thing you're counting on.

Also brought into place are things like forged RST packets, routing table
attacks, and on and on.

And on the performance front you're dealing with smaller mss and much higher
protocol overhead. You also lose bulletproof authentication from unix
credentials and are instead relying on properly configuring your network
authentication. And it's much easier to accidentally be relying on insecure

  Gregory Stark
  Ask me about EnterpriseDB's 24x7 Postgres support!

In response to


pgsql-hackers by date

Next:From: Peter EisentrautDate: 2007-12-23 08:41:03
Subject: Re: Spoofing as the postmaster
Previous:From: Gregory StarkDate: 2007-12-23 07:47:37
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group