Re: Spoofing as the postmaster

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Most Linux distros don't have SELinux, AFAIK, so this is probably not a
> very useful suggestion. Not that I have a problem with Red-Hat-specific
> solutions ;-)

Debian also has SELinux, if one wishes to configure it. I suspect other
Debian-derived distributions also have it as a result. It can certainly
be a pain to configure but it's far from impossible and if an SA has
concerns such as those described, well, I'd be kind of suprised if they
weren't considering SELinux (if they're on Linux anyway).

> ... but since one of the arguments being made against
> move-the-socket is that it introduces a lot of platform-specific
> assumptions, we have to apply that same criterion to alternative
> answers.

I don't quite follow how one argues 'against' SELinux in this context
as I don't believe upstream changes would be required here. Just a
policy configuration whereby only the postgres user can listen on port
5432.

> As far as ensuring security from the server end, what about extending
> the pg_hba.conf options to require that the server has both checked
> a client certificate and presented its own certificate? (I'm not sure
> whether OpenSSL provides a way to determine that, though.)

It'd be really nice to be able to have client-side certificates used for
authentication by having a way to associate a certificate (or maybe at
least the DN, but you can have dups) to a user. That's a seperate
conversation tho, really.

Thanks,

Stephen