Thread: Restricting permissions on Unix socket

Restricting permissions on Unix socket

From
Peter Eisentraut
Date:
I'd like to add an option or two to restrict the set of users that can
connect to the Unix domain socket of the postmaster, as an extra security
option.

I imagine something like this:

unix_socket_perm = 0660
unix_socket_group = pgusers

Obviously, permissions that don't have 6's in there don't make much sense,
but I feel this notation is the most intuitive way for admins.

I'm not sure how to do the group thing, though.  If I use chown(2) then
there's a race condition, but doing savegid; create socket; restoregid
might be too awkward?  Any hints?

-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/



Re: Restricting permissions on Unix socket

From
Robert Kernell
Date:
> I'd like to add an option or two to restrict the set of users that can
> connect to the Unix domain socket of the postmaster, as an extra security
> option.
> 
> I imagine something like this:
> 
> unix_socket_perm = 0660
> unix_socket_group = pgusers
> 
> Obviously, permissions that don't have 6's in there don't make much sense,
> but I feel this notation is the most intuitive way for admins.
> 
> I'm not sure how to do the group thing, though.  If I use chown(2) then
> there's a race condition, but doing savegid; create socket; restoregid
> might be too awkward?  Any hints?
> 

Just curious. What is a race condition? 

Bob Kernell
Research Scientist
Surface Validation Group
Atmospheric Sciences Competency
Analytical Services & Materials, Inc.
email: kernell@sundog.larc.nasa.gov
tel: 757-827-4631



RE: Restricting permissions on Unix socket

From
"Jones, Colin"
Date:
<p><font size="2">Please take me off this list!  I have received over 50 emails in the last 24 hours and I have no idea
whyI am getting them.  Please look for email address cjones@rightnotech.com or cjones@rightnow.com and take it out! 
Thanks!</font><br/><br /><p><font size="2">-----Original Message-----</font><br /><font size="2">From: Robert Kernell
[<ahref="mailto:kernell@sundog.larc.nasa.gov">mailto:kernell@sundog.larc.nasa.gov</a>]</font><br /><font size="2">Sent:
Tuesday,October 31, 2000 3:36 PM</font><br /><font size="2">To: pgsql-hackers@postgresql.org</font><br /><font
size="2">Subject:Re: [HACKERS] Restricting permissions on Unix socket</font><br /><br /><p><font size="2">> I'd like
toadd an option or two to restrict the set of users that can</font><br /><font size="2">> connect to the Unix domain
socketof the postmaster, as an extra security</font><br /><font size="2">> option.</font><br /><font size="2">>
</font><br/><font size="2">> I imagine something like this:</font><br /><font size="2">> </font><br /><font
size="2">>unix_socket_perm = 0660</font><br /><font size="2">> unix_socket_group = pgusers</font><br /><font
size="2">></font><br /><font size="2">> Obviously, permissions that don't have 6's in there don't make much
sense,</font><br/><font size="2">> but I feel this notation is the most intuitive way for admins.</font><br /><font
size="2">></font><br /><font size="2">> I'm not sure how to do the group thing, though.  If I use chown(2)
then</font><br/><font size="2">> there's a race condition, but doing savegid; create socket; restoregid</font><br
/><fontsize="2">> might be too awkward?  Any hints?</font><br /><font size="2">> </font><p><font size="2">Just
curious.What is a race condition? </font><p><font size="2">Bob Kernell</font><br /><font size="2">Research
Scientist</font><br/><font size="2">Surface Validation Group</font><br /><font size="2">Atmospheric Sciences
Competency</font><br/><font size="2">Analytical Services & Materials, Inc.</font><br /><font size="2">email:
kernell@sundog.larc.nasa.gov</font><br/><font size="2">tel: 757-827-4631</font> 

Re: Restricting permissions on Unix socket

From
Alfred Perlstein
Date:
* Peter Eisentraut <peter_e@gmx.net> [001031 12:57] wrote:
> I'd like to add an option or two to restrict the set of users that can
> connect to the Unix domain socket of the postmaster, as an extra security
> option.
> 
> I imagine something like this:
> 
> unix_socket_perm = 0660
> unix_socket_group = pgusers
> 
> Obviously, permissions that don't have 6's in there don't make much sense,
> but I feel this notation is the most intuitive way for admins.
> 
> I'm not sure how to do the group thing, though.  If I use chown(2) then
> there's a race condition, but doing savegid; create socket; restoregid
> might be too awkward?  Any hints?

Set your umask to 777 then go to town.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."