Re: Specification of "/" in the host name (for Unix socket support) - Mailing list pgsql-jdbc

From Paul Thomas
Subject Re: Specification of "/" in the host name (for Unix socket support)
Date
Msg-id 20030916143100.A26377@bacon
Whole thread Raw
In response to Specification of "/" in the host name (for Unix socket support)  (Deepak Bhole <dbhole@redhat.com>)
Responses Re: Specification of "/" in the host name (for Unix socket support)
List pgsql-jdbc
On 14/09/2003 01:16 Oliver Jowett wrote:
> On Sat, Sep 13, 2003 at 05:28:03PM +0100, Paul Thomas wrote:
> > You can hide the port from the outside world with a firewall and
> configure
> > PostgreSQL to only accept tcp/ip connections for 127.0.0.1. And if
> packet
> > sniffing on the loopback interface is a concern, is SSL not secure
> enough?
> > Having said that, I'm not sure if the JDBC driver supports SSL ATM but
> > even without it the security argument (as opposed to a dogmatic policy
> > stance) looks very weak to me which is why I initially discounted it.
>
> The current driver does support SSL. I'm not sure what certificate
> management is like under this setup, but from past SSL experiences it's
> going to be "interesting".
>
> However, the simple solution to "I don't want the outside world to see
> the
> server" is "don't listen on TCP/IP, then". Firewalls and tweaking
> postgresql's host-based ACLs would work .. if configured and maintained
> correctly .. but they are hardly the simplest solution and are more
> likely
> to go wrong.

If your firewall goes wrong, I think you've got more fundamental problems
that exposing port 5432! As for configuring, even a simple tool like
Lokkit will do the job.

>
> Also user authentication becomes interesting if you want to do access
> control based on the local user's identity (quite likely when you're
> running
> the client on the same machine as the server). You're going to have to
> run
> an ident server at a minimum (more stuff to configure, firewall, and
> maintain, and another point of failure as the DB relies on it). Unix
> sockets
> can use SCM_CREDENTIALS to pass user information in a much simpler way.
> And
> you can set filesystem-based (user/group) permissions on a unix socket,
> something you can't do with a TCP/IP listener.
>

Well, if all of this is a must-have then Java is probably the wrong
language to use.

--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants         |
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+


pgsql-jdbc by date:

Previous
From: Paul Thomas
Date:
Subject: Re: Specification of "/" in the host name (for Unix socket support)
Next
From: "sc0698"
Date:
Subject: rsetMetaData.getColumnCount();