On Dec 22, 2007 6:25 AM, Bruce Momjian <
bruce@momjian.us> wrote:
It is possible for the attacker to use one of the interfaces (tcp or
unix domain) and wait for the postmaster to start. The postmaster will
fail to start on the interface in use but will start on the other
interface and the attacker could route queries to the active postmaster
interface.
I am not very conversant with networking, but I see a possibly simple solution. Why not refuse to start the postmaster if we are unable to bind with any of the interfaces (all that are specified in the conf file).
This way, if the attacker has control of even one interface (and optionally the local socket) that the clients are expected to connect to, the postmaster wouldn't start and the attacker won't have any traffic to peek into.
Best regards,
--
gurjeet[.singh]@EnterpriseDB.com
singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB
http://www.enterprisedb.com 17° 29' 34.37"N, 78° 30' 59.76"E - Hyderabad
18° 32' 57.25"N, 73° 56' 25.42"E - Pune
37° 47' 19.72"N, 122° 24' 1.69" W - San Francisco *
http://gurjeet.frihost.netMail sent from my BlackLaptop device
