Re: Spoofing as the postmaster

From: "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
To: Gregory Stark <stark(at)enterprisedb(dot)com>
Cc: "Bruce Momjian" <bruce(at)momjian(dot)us>, "PostgreSQL-development" <pgsql-hackers(at)postgreSQL(dot)org>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 15:56:49
Message-ID: 20071223105649.5a699325.darcy@druid.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, 23 Dec 2007 07:57:07 +0000
Gregory Stark <stark(at)enterprisedb(dot)com> wrote:
> "D'Arcy J.M. Cain" <darcy(at)druid(dot)net> writes:
> > It's generally a bad idea to put your database on a public server
> > anyway but if you do you should definitely disable unix domain sockets
> > and connect over TCP to localhost. That has been our rule for years.
>
> That seems like a terrible idea. At least while you're dealing with unix
> domain sockets you know there's no way a remote user could possibly interfere
> with or sniff your data. As soon as you're dealing with TCP it's a whole new
> ballgame.

Are you suggesting that you would have Unix domain sockets only? I
have never seen this scenario other than dedicated db/web/etc servers
that don't have public users so that's not an issue anyway. Once you
are allowing untrusted users access you are probably allowing remote
access as well. Two different models and two different security
requirements n'est pas?

Certainly the scenario where you have untrusted users on a server and
require that only logged in users can access the database is possible.
I have just never seen it and suspect that it is rare. Since I am
suggesting that this is really a documentation and warning issue then
this possibility can be examined and discussed in the documentation.

> X famously had a problem on many OSes where you could spoof the first packet
> (and if you could predict sequence numbers more than that) of a connection
> allegedly coming from 127.0.0.1. (it helped that a message to open up
> connections from anywhere fit in one packet...) Modern OSes include network
> filters to block such spoofs but it's one more thing you're counting on.

Well, yes, I do count on the OS being reasonably modern and secure. I
don't think that that is an unreasonable expectation.

> Also brought into place are things like forged RST packets, routing table
> attacks, and on and on.

If this is an issue then don't allow remote access. In this case Unix
domain sockets only make sense.

--
D'Arcy J.M. Cain <darcy(at)druid(dot)net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2007-12-23 15:57:17 Re: Spoofing as the postmaster
Previous Message Magnus Hagander 2007-12-23 14:24:50 Re: Spoofing as the postmaster