Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Spoofing as the postmaster
- From: "D'Arcy J.M. Cain" <darcy(at)druid(dot)net>
- To: Bruce Momjian <bruce(at)momjian(dot)us>
- Cc: PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org>
- Subject: Re: Spoofing as the postmaster
- Date: Sat, 22 Dec 2007 10:04:19 -0500
On Sat, 22 Dec 2007 09:25:05 -0500 (EST) Bruce Momjian <bruce(at)momjian(dot)us> wrote: > I think at a minimum we need to add documentation that states if you > don't trust the local users on the postmaster server you should: > > o create unix domain socket files in a non-world-writable > directory > o require SSL server certificates for TCP connections > > Ideas? It's generally a bad idea to put your database on a public server anyway but if you do you should definitely disable unix domain sockets and connect over TCP to localhost. That has been our rule for years. It's certainly a corner case. I would think that warnings, perhaps in the config file itself, would be sufficient. -- D'Arcy J.M. Cain <darcy(at)druid(dot)net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
- Follow-Ups:
- Re: Spoofing as the postmaster
- From: Gregory Stark
- Re: Spoofing as the postmaster
- References:
- Spoofing as the postmaster
- From: Bruce Momjian
- Spoofing as the postmaster
- Prev by Date: Re: timetz range check issue
- Next by Date: Re: Spoofing as the postmaster
- Previous by thread: Spoofing as the postmaster
- Next by thread: Re: Spoofing as the postmaster
- Indexes: