Re: Postgres syscalls - Mailing list pgsql-hackers

From Shridhar Daithankar
Subject Re: Postgres syscalls
Date
Msg-id 3DF9D33E.16544.384D21B@localhost
Whole thread Raw
In response to Re: Postgres syscalls  (Stephan Szabo <sszabo@megazone23.bigpanda.com>)
List pgsql-hackers
On 12 Dec 2002 at 16:09, Stephan Szabo wrote:

> 
> On Fri, 13 Dec 2002, [iso-8859-1] Diego T. wrote:
> 
> > Hello I'm an Italian student of computer science at
> > University of Rome "La Sapienza". I've to analyze some
> > daemons which run under root privileges with a tool
> > developed by my departement. This tool intercepts
> > critical syscalls, like Execve, and blocks illegal
> > invocation of that primitives (E.g. Execve("/bin/sh"))
> > performed by a daemon which runs under root
> > privileges. This approach blocks buffer overflow
> > attacks before they can complete (or I hope so). Now,

OK..

> > the problem is that postgres doesn' t run under root
> > privileges and that the tool intercepts only the
> > syscalls invoked by a process with root privileges. Is
> > possible to force postgres to run under root

> You could probably just hack out the checks in main/main.c
> and recompile, but postgres does call system and such to do
> things (like create databases) so I'm not sure it'd be terribly
> useful for you.

I agree. Not running root is a god idea from secutiry point of view. That way 
any buffer overflow attacks would be half dead as it is.

Secondly In my understanding, buffer overflow attacks can be stopped very 
effectivelyif compiler has stack smashing patches. ( Or is it kernel as well?)

And do look at strace. I feel you are shooting at same target..

HTH


ByeShridhar

--
Grinnell's Law of Labor Laxity:    At all times, for any task, you have not got 
enough done today.



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Big 7.4 items
Next
From: "Shridhar Daithankar"
Date:
Subject: Re: Big 7.4 items