| From: | "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> |
|---|---|
| To: | "Bruce Momjian" <bruce(at)momjian(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, "Tomasz Ostrowski" <tometzky(at)batory(dot)org(dot)pl> |
| Subject: | Re: Spoofing as the postmaster |
| Date: | 2007-12-23 01:15:22 |
| Message-ID: | 65937bea0712221715g54bf74a0i4a81221a4593e46a@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> It is possible for the attacker to use one of the interfaces (tcp or
> unix domain) and wait for the postmaster to start. The postmaster will
> fail to start on the interface in use but will start on the other
> interface and the attacker could route queries to the active postmaster
> interface.
>
>
I am not very conversant with networking, but I see a possibly simple
solution. Why not refuse to start the postmaster if we are unable to bind
with any of the interfaces (all that are specified in the conf file).
This way, if the attacker has control of even one interface (and
optionally the local socket) that the clients are expected to connect to,
the postmaster wouldn't start and the attacker won't have any traffic to
peek into.
Best regards,
--
gurjeet[(dot)singh](at)EnterpriseDB(dot)com
singh(dot)gurjeet(at){ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
17° 29' 34.37"N, 78° 30' 59.76"E - Hyderabad
18° 32' 57.25"N, 73° 56' 25.42"E - Pune
37° 47' 19.72"N, 122° 24' 1.69" W - San Francisco *
Mail sent from my BlackLaptop device
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2007-12-23 01:20:53 | Re: Spoofing as the postmaster |
| Previous Message | Stephen Frost | 2007-12-22 20:03:03 | Re: viewing source code |