Re: Spoofing as the postmaster

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org, Bruce Momjian <bruce(at)momjian(dot)us>, Brendan Jurd <direvus(at)gmail(dot)com>, Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-23 13:35:01
Message-ID: 200712231435.03010.peter_e@gmx.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus Hagander wrote:
> > Most kinds of server processes where you'd send sensitive information do
> > support SSL. Most of these server processes don't run over Unix-domain
> > sockets, though.
>
> Well, the question is not about sensitive information, is it? It's about
> password disclosure due to spoofing.

I included passwords as sensitive information.

> Which would affect *all* services
> that accept passwords over any kind of local connections - both unix
> sockets and TCP localhost.

These services either use a protected port or a protected directory, or they
support SSL or something similar (SSH), or they are deprecated, as many
traditional Unix services are. If you find a service that is not covered by
this, then yes, you have a problem.

> The best way to avoid it is of course not to give untrusted users access
> to launch arbitrary processes on your server. Something about that
> should perhaps be added to that new docs section?

That is pretty impractical. PostgreSQL is designed to run on multiuser
operating systems, so it should do it correctly. Such suggestions do not
raise confidence.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Martijn van Oosterhout 2007-12-23 13:55:37 Re: Spoofing as the postmaster
Previous Message Bruce Momjian 2007-12-23 13:18:44 Re: Spoofing as the postmaster