Gurjeet Singh wrote:
> On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce@momjian.us> wrote:
>
> >
> > It is possible for the attacker to use one of the interfaces (tcp or
> > unix domain) and wait for the postmaster to start. The postmaster will
> > fail to start on the interface in use but will start on the other
> > interface and the attacker could route queries to the active postmaster
> > interface.
> >
> >
> I am not very conversant with networking, but I see a possibly simple
> solution. Why not refuse to start the postmaster if we are unable to bind
> with any of the interfaces (all that are specified in the conf file).
>
> This way, if the attacker has control of even one interface (and
> optionally the local socket) that the clients are expected to connect to,
> the postmaster wouldn't start and the attacker won't have any traffic to
> peek into.
Yes, that would fix the problem I mentioned but at that point the
attacker already has passwords so they can just connect themselves.
Having the server fail if it can't get one interface makes the server
less reliable.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
