Am Freitag, 18. Januar 2008 schrieb Alvaro Herrera:
> I propose to create a dangling symlink on system startup in
> /tmp/.s.PGSQL.<port> to the real socket, which is not on a
> world-writable directory. This avoids the spoofer, because he cannot
> create the socket -- the symlink is occupying its place.
This approaches the issue from the wrong end. Spoofing attacks the client, so
the defense must be in the client. If the defense of the client is to rely
on a carefully configured server, then that might exclude some possible
attack vectors, but it is not a defense the client can rely on.
To look at this in another way, if we relied on every browser user to type in
web addresses correctly and all server administrators to make sure
their "socket address" cannot be hijacked, we wouldn't need SSL on the web.
The proper approach, however, is to configure the client to only talk to
servers that can prove their identity.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
