Re: vulnerability/SSL

On Thu, 2005-06-09 at 15:04 +0200, Magnus Hagander wrote:
[...]
> Yes, that is correct - runas is similar to su. But in order to do
> "runas", you need the service accounts password. Once you are "root" on
> a unix system, you can do "su - user" *without* the password. That's a
> big difference.
> (You can also use the postgres accounts smartcard, if you are using
> smartcard logins, but the deal is that you need *something* that is
> normally private to the account - even if you are an administrator)

Is that at application level or system level? You know I can install a
patched su that asks root for passwords as well, but the problem is with
the seteuid() system call, not su. You can (with SELinux) limit root
powers a lot, but that's not the point.

[...]
> I guess we could read in the password ourselves and drop it in our
> shared memory segment to pass to subprocesses - though that means they
> can get to the password easier as well. Assuming OpenSSL has the APIs
> for that, I haven't checked that. I'm unconvinced it makes enough of a
> difference to be worthwhile, though.
> (BTW, am I correct in reading this as a problem that only appears on
> win32, because of the exec nature of the backend, right? Or does it show
> up on Unix as well?)

Is the Unix version much different? I think the postmaster just forks
and execs the backends. But, aren't connections handled by the
postmaster? All the SSL thing should happen before the fork I think. Is
the Windows model different? Do backends handle SSL negotiation?

.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo(at)ESI(dot)it