Re: SSL over Unix-domain sockets - Mailing list pgsql-hackers

From Greg Smith
Subject Re: SSL over Unix-domain sockets
Date
Msg-id Pine.GSO.4.64.0801151406140.27131@westnet.com
Whole thread Raw
In response to Re: SSL over Unix-domain sockets  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Tue, 15 Jan 2008, Tom Lane wrote:

> I think on most systems you'd have to explicitly tweak the /tmp-cleaning 
> script to know not to zap such a link.  Given that such a local 
> customization would probably disappear in your next system update, the 
> security gain might be fleeting.

Right, on the RedHat box I have handy you'd have to edit 
/etc/cron.daily/tmpwatch and add "-x s.PGSQL.5432" to the first line 
there.  I don't think that file changes very often because of routine 
updates anyway, and even if it did you wouldn't lose your custom version. 
That's listed as a config file, not a binary, so the revised one would 
show up as tmpwatch.rpmnew and it would be your job to reconcile the 
packager's changes.  People who just let the GUI updater loose might not 
notice that though.

Other types of systems will obviously have their own ways to cope with 
such local customization.  In the short-term, you're already exposed to 
the problem when walking down this road because of the edit to the startup 
script that creates the symlink in the first place.  For some people 
that's also a tweak to a script that could be updated in a conflicting 
way.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Index trouble with 8.3b4
Next
From: Tom Lane
Date:
Subject: Re: [COMMITTERS] pgsql: Fix an ancient oversight in libpq's handling of V3-protocol COPY