Mark Mielke wrote:
Andrew Dunstan wrote:
D'Arcy J.M. Cain wrote:
- 1: How does the client assure that the postmaster is legit
- 2: How does the postmaster assure that the client is legit
And neither answers the original problem:
3. How can the sysadmin prevent a malicious local user from hijacking
the sockets if the postmaster isn't running?
Prevention is much more valuable than ex post detection, IMNSHO.
Probably the first answer is not to run postgres on a machine with
untrusted users, but that's not always possible. Maybe we can't find
a simple cross-platform answer, but that doesn't mean we should not
look at platform-specific answers, at least for documentation.
I thought this answer was already provided: Put the socket in a
directory that is only writable by the database owner. The socket is
created as part of the bind() process. I think this covers 90%+ of it,
and is already in use by distributions. The only thing "better" this
team could do would be to formalize it? The "serveruser=" db open
parameter might be enough to lock it up tight if there is still a race
condition on bind(). It's effectively a very cheap authentication
mechanism that does not require expensive cryptographic operations.
It's in use by some distributions, hardly all, or even a majority. AFAIK
it's only in Debian + descendants.
Anyway, I think it could arguably make matters worse, not better, by
guaranteeing that the postmaster can start up even if the TCP socket has
been hijacked . That's why I suggested it might be useful to have a
switch that says don't start if any interface fails to bind (which was
the old pre-8.0 behaviour).
It might well be useful for us to look at drafting an SELinux policy,
even if it's not universal. After all, this situation is precisely the
sort of thing that SELinux is about, ISTM.
cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly