Re: [HACKERS] SSL over Unix-domain sockets - Mailing list pgsql-patches
| From | Bruce Momjian |
|---|---|
| Subject | Re: [HACKERS] SSL over Unix-domain sockets |
| Date | |
| Msg-id | 200801311732.m0VHWk706279@momjian.us Whole thread Raw |
| In response to | Re: [HACKERS] SSL over Unix-domain sockets (Tom Lane <tgl@sss.pgh.pa.us>) |
| List | pgsql-patches |
Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > I am confused because you say "dangling" then you say "to the real > > socket". You are saying it isn't dangling when the server is running? > > Exactly. When the server is running it provides a perfectly good path > to the postmaster. The point (and the main difference from your PIDfile > proposal) is that it's supposed to be there all the time, even when the > postmaster isn't running. This is what provides protection against the > spoofer getting there first. OK, I have added documention suggesting the creation a symbolic link in /tmp to prevent server spoofing when the socket file has been moved. I think we can consider this issue concluded. I think SSL over unix domain sockets has so much overhead as to be worse in most cases than just creating the symlink. Of course if someone comes up with a better idea we can reopen this. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v retrieving revision 1.403 diff -c -c -r1.403 runtime.sgml *** doc/src/sgml/runtime.sgml 24 Jan 2008 06:23:32 -0000 1.403 --- doc/src/sgml/runtime.sgml 31 Jan 2008 17:21:57 -0000 *************** *** 1397,1403 **** connections is to use a Unix domain socket directory (<xref linkend="guc-unix-socket-directory">) that has write permission only for a trusted local user. This prevents a malicious user from creating ! their own socket file in that directory. For TCP connections the server must accept only <literal>hostssl</> connections (<xref linkend="auth-pg-hba-conf">) and have SSL <filename>server.key</filename> (key) and --- 1397,1412 ---- connections is to use a Unix domain socket directory (<xref linkend="guc-unix-socket-directory">) that has write permission only for a trusted local user. This prevents a malicious user from creating ! their own socket file in that directory. If you are concerned that ! some applications might still look in <filename>/tmp</> for the ! socket file and hence be vulnerable to spoofing, create a symbolic link ! during operating system startup in <filename>/tmp</> that points to ! the relocated socket file. You also might need to modify your ! <filename>/tmp</> cleanup script to preserve the symbolic link. ! </para> ! ! <para> ! For TCP connections the server must accept only <literal>hostssl</> connections (<xref linkend="auth-pg-hba-conf">) and have SSL <filename>server.key</filename> (key) and
pgsql-patches by date: