Re: [HACKERS] Spoofing as the postmaster

Sat, 29 Dec 2007 10:26:19 -0800 


Mark Mielke wrote:

Andrew Dunstan wrote:

D'Arcy J.M. Cain wrote:

 - 1:  How does the client assure that the postmaster is legit

 - 2:  How does the postmaster assure that the client is legit   

And neither answers the original problem:

3. How can the sysadmin prevent a malicious local user from hijacking 
the sockets if the postmaster isn't running?

Prevention is much more valuable than ex post detection, IMNSHO.

Probably the first answer is not to run postgres on a machine with 
untrusted users, but that's not always possible. Maybe we can't find 
a simple cross-platform answer, but that doesn't mean we should not 
look at platform-specific answers, at least for documentation.

I thought this answer was already provided: Put the socket in a 
directory that is only writable by the database owner. The socket is 
created as part of the bind() process. I think this covers 90%+ of it, 
and is already in use by distributions. The only thing "better" this 
team could do would be to formalize it? The "serveruser=" db open 
parameter might be enough to lock it up tight if there is still a race 
condition on bind(). It's effectively a very cheap authentication 
mechanism that does not require expensive cryptographic operations.






It's in use by some distributions, hardly all, or even a majority. AFAIK 
it's only in Debian + descendants.



Anyway, I think it could arguably make matters worse, not better, by 
guaranteeing that the postmaster can start up even if the TCP socket has 
been hijacked . That's why I suggested it might be useful to have a 
switch that says don't start if any interface fails to bind (which was 
the old pre-8.0 behaviour).



It might well be useful for us to look at drafting an SELinux policy, 
even if it's not universal. After all, this situation is precisely the 
sort of thing that SELinux is about, ISTM.


cheers

andrew



---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
      subscribe-nomail command to [EMAIL PROTECTED] so that your
      message can get through to the mailing list cleanly




























					Reply via email to