Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: [HACKERS] SSL over Unix-domain sockets
- From: Bruce Momjian <bruce(at)momjian(dot)us>
- To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
- Cc: Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>, Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
- Subject: Re: [HACKERS] SSL over Unix-domain sockets
- Date: Thu, 31 Jan 2008 12:32:46 -0500 (EST)
- Message-id: <200801311732.m0VHWk706279@momjian.us> <text/plain>
Tom Lane wrote: > Bruce Momjian <bruce(at)momjian(dot)us> writes: > > I am confused because you say "dangling" then you say "to the real > > socket". You are saying it isn't dangling when the server is running? > > Exactly. When the server is running it provides a perfectly good path > to the postmaster. The point (and the main difference from your PIDfile > proposal) is that it's supposed to be there all the time, even when the > postmaster isn't running. This is what provides protection against the > spoofer getting there first. OK, I have added documention suggesting the creation a symbolic link in /tmp to prevent server spoofing when the socket file has been moved. I think we can consider this issue concluded. I think SSL over unix domain sockets has so much overhead as to be worse in most cases than just creating the symlink. Of course if someone comes up with a better idea we can reopen this. -- Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.403
diff -c -c -r1.403 runtime.sgml
*** doc/src/sgml/runtime.sgml 24 Jan 2008 06:23:32 -0000 1.403
--- doc/src/sgml/runtime.sgml 31 Jan 2008 17:21:57 -0000
***************
*** 1397,1403 ****
connections is to use a Unix domain socket directory (<xref
linkend="guc-unix-socket-directory">) that has write permission only
for a trusted local user. This prevents a malicious user from creating
! their own socket file in that directory. For TCP connections the server
must accept only <literal>hostssl</> connections (<xref
linkend="auth-pg-hba-conf">) and have SSL
<filename>server.key</filename> (key) and
--- 1397,1412 ----
connections is to use a Unix domain socket directory (<xref
linkend="guc-unix-socket-directory">) that has write permission only
for a trusted local user. This prevents a malicious user from creating
! their own socket file in that directory. If you are concerned that
! some applications might still look in <filename>/tmp</> for the
! socket file and hence be vulnerable to spoofing, create a symbolic link
! during operating system startup in <filename>/tmp</> that points to
! the relocated socket file. You also might need to modify your
! <filename>/tmp</> cleanup script to preserve the symbolic link.
! </para>
!
! <para>
! For TCP connections the server
must accept only <literal>hostssl</> connections (<xref
linkend="auth-pg-hba-conf">) and have SSL
<filename>server.key</filename> (key) and
- References:
- Re: [HACKERS] SSL over Unix-domain sockets
- From: Tom Lane
- Re: [HACKERS] SSL over Unix-domain sockets
- Prev by Date: Truncate Triggers
- Previous by thread: Re: [HACKERS] SSL over Unix-domain sockets
- Next by thread: Re: [HACKERS] SSL over Unix-domain sockets
- Indexes: