From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
---|---|
To: | "Marco Colombo" <pgsql(at)esiway(dot)net> |
Cc: | <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: vulnerability/SSL |
Date: | 2005-06-09 13:53:35 |
Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE6C7638@algol.sollentuna.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> > Yes, that is correct - runas is similar to su. But in order to do
> > "runas", you need the service accounts password. Once you
> are "root"
> > on a unix system, you can do "su - user" *without* the password.
> > That's a big difference.
> > (You can also use the postgres accounts smartcard, if you are using
> > smartcard logins, but the deal is that you need *something* that is
> > normally private to the account - even if you are an administrator)
>
> Is that at application level or system level? You know I can
> install a patched su that asks root for passwords as well,
> but the problem is with the seteuid() system call, not su.
> You can (with SELinux) limit root powers a lot, but that's
> not the point.
I think it's at the system level. At least there is no API to do it.
> > I guess we could read in the password ourselves and drop it in our
> > shared memory segment to pass to subprocesses - though that
> means they
> > can get to the password easier as well. Assuming OpenSSL
> has the APIs
> > for that, I haven't checked that. I'm unconvinced it makes
> enough of a
> > difference to be worthwhile, though.
> > (BTW, am I correct in reading this as a problem that only
> appears on
> > win32, because of the exec nature of the backend, right? Or does it
> > show up on Unix as well?)
>
> Is the Unix version much different? I think the postmaster
> just forks and execs the backends.
It forks. It doesn't exec. As such, it inherits all the memory from the
postmaster.
> But, aren't connections
> handled by the postmaster? All the SSL thing should happen
> before the fork I think. Is the Windows model different? Do
> backends handle SSL negotiation?
On win32 we do fork() + exec(), and the OpenSSL library requires a new
initialization, including reading the key. I should say I'm speaking
from memory of stuff I looked at a longt ime ago, though - it could
probably do with someone looking throuhg exactly how it is now ;-)
IIRC, the problem is that the openssl structs contain function pointers,
which are not guaranteed to point to the same thing in the child.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Changyu Dong | 2005-06-09 14:10:27 | Re: vulnerability/SSL |
Previous Message | Marco Colombo | 2005-06-09 13:43:17 | Re: vulnerability/SSL |