Thread: Restricting permissions on Unix socket
I'd like to add an option or two to restrict the set of users that can connect to the Unix domain socket of the postmaster, as an extra security option. I imagine something like this: unix_socket_perm = 0660 unix_socket_group = pgusers Obviously, permissions that don't have 6's in there don't make much sense, but I feel this notation is the most intuitive way for admins. I'm not sure how to do the group thing, though. If I use chown(2) then there's a race condition, but doing savegid; create socket; restoregid might be too awkward? Any hints? -- Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/
> I'd like to add an option or two to restrict the set of users that can > connect to the Unix domain socket of the postmaster, as an extra security > option. > > I imagine something like this: > > unix_socket_perm = 0660 > unix_socket_group = pgusers > > Obviously, permissions that don't have 6's in there don't make much sense, > but I feel this notation is the most intuitive way for admins. > > I'm not sure how to do the group thing, though. If I use chown(2) then > there's a race condition, but doing savegid; create socket; restoregid > might be too awkward? Any hints? > Just curious. What is a race condition? Bob Kernell Research Scientist Surface Validation Group Atmospheric Sciences Competency Analytical Services & Materials, Inc. email: kernell@sundog.larc.nasa.gov tel: 757-827-4631
<p><font size="2">Please take me off this list! I have received over 50 emails in the last 24 hours and I have no idea whyI am getting them. Please look for email address cjones@rightnotech.com or cjones@rightnow.com and take it out! Thanks!</font><br/><br /><p><font size="2">-----Original Message-----</font><br /><font size="2">From: Robert Kernell [<ahref="mailto:kernell@sundog.larc.nasa.gov">mailto:kernell@sundog.larc.nasa.gov</a>]</font><br /><font size="2">Sent: Tuesday,October 31, 2000 3:36 PM</font><br /><font size="2">To: pgsql-hackers@postgresql.org</font><br /><font size="2">Subject:Re: [HACKERS] Restricting permissions on Unix socket</font><br /><br /><p><font size="2">> I'd like toadd an option or two to restrict the set of users that can</font><br /><font size="2">> connect to the Unix domain socketof the postmaster, as an extra security</font><br /><font size="2">> option.</font><br /><font size="2">> </font><br/><font size="2">> I imagine something like this:</font><br /><font size="2">> </font><br /><font size="2">>unix_socket_perm = 0660</font><br /><font size="2">> unix_socket_group = pgusers</font><br /><font size="2">></font><br /><font size="2">> Obviously, permissions that don't have 6's in there don't make much sense,</font><br/><font size="2">> but I feel this notation is the most intuitive way for admins.</font><br /><font size="2">></font><br /><font size="2">> I'm not sure how to do the group thing, though. If I use chown(2) then</font><br/><font size="2">> there's a race condition, but doing savegid; create socket; restoregid</font><br /><fontsize="2">> might be too awkward? Any hints?</font><br /><font size="2">> </font><p><font size="2">Just curious.What is a race condition? </font><p><font size="2">Bob Kernell</font><br /><font size="2">Research Scientist</font><br/><font size="2">Surface Validation Group</font><br /><font size="2">Atmospheric Sciences Competency</font><br/><font size="2">Analytical Services & Materials, Inc.</font><br /><font size="2">email: kernell@sundog.larc.nasa.gov</font><br/><font size="2">tel: 757-827-4631</font>
* Peter Eisentraut <peter_e@gmx.net> [001031 12:57] wrote: > I'd like to add an option or two to restrict the set of users that can > connect to the Unix domain socket of the postmaster, as an extra security > option. > > I imagine something like this: > > unix_socket_perm = 0660 > unix_socket_group = pgusers > > Obviously, permissions that don't have 6's in there don't make much sense, > but I feel this notation is the most intuitive way for admins. > > I'm not sure how to do the group thing, though. If I use chown(2) then > there's a race condition, but doing savegid; create socket; restoregid > might be too awkward? Any hints? Set your umask to 777 then go to town. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk."