Thread: Cygwin AF_UNIX socket security improvement patch

Cygwin AF_UNIX socket security improvement patch

From

Jason Tishler

Date:

10 April 2001, 19:52:56

The following patch has been recently applied to Cygwin CVS:

    http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html

I hoping that someone knowledgeable in the area of PostgreSQL sockets
communication can comment on whether or not this will really improve
Cygwin PostgreSQL AF_UNIX socket security.  Recall that Cygwin's AF_UNIX
sockets are really implemented as AF_INET sockets.  Specifically, I'm
interested in whether or not the remaining sendto() and recvfrom() caveats
minimize the effectiveness of this patch with regards to PostgreSQL.

Thanks,
Jason

--
Jason Tishler
Director, Software Engineering       Phone: +1 (732) 264-8770 x235
Dot Hill Systems Corp.               Fax:   +1 (732) 264-8798
82 Bethany Road, Suite 7             Email: Jason.Tishler@dothill.com
Hazlet, NJ 07730 USA                 WWW:   http://www.dothill.com

Re: Cygwin AF_UNIX socket security improvement patch

From

Alfred Perlstein

Date:

10 April 2001, 20:04:25

* Jason Tishler <Jason.Tishler@dothill.com> [010410 14:00] wrote:
> The following patch has been recently applied to Cygwin CVS:
>
>     http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html
>
> I hoping that someone knowledgeable in the area of PostgreSQL sockets
> communication can comment on whether or not this will really improve
> Cygwin PostgreSQL AF_UNIX socket security.  Recall that Cygwin's AF_UNIX
> sockets are really implemented as AF_INET sockets.  Specifically, I'm
> interested in whether or not the remaining sendto() and recvfrom() caveats
> minimize the effectiveness of this patch with regards to PostgreSQL.

If sendto/recvfrom aren't covered then there's most likely still some
problems with security.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
Represent yourself, show up at BABUG http://www.babug.org/

Re: Cygwin AF_UNIX socket security improvement patch

From

Alfred Perlstein

Date:

10 April 2001, 20:21:34

* Alfred Perlstein <bright@wintelcom.net> [010410 14:04] wrote:
> * Jason Tishler <Jason.Tishler@dothill.com> [010410 14:00] wrote:
> > The following patch has been recently applied to Cygwin CVS:
> >
> >     http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html
> >
> > I hoping that someone knowledgeable in the area of PostgreSQL sockets
> > communication can comment on whether or not this will really improve
> > Cygwin PostgreSQL AF_UNIX socket security.  Recall that Cygwin's AF_UNIX
> > sockets are really implemented as AF_INET sockets.  Specifically, I'm
> > interested in whether or not the remaining sendto() and recvfrom() caveats
> > minimize the effectiveness of this patch with regards to PostgreSQL.
>
> If sendto/recvfrom aren't covered then there's most likely still some
> problems with security.

Actually, since the code requires accept() to complete on the server
(knowledge of the key) it may work, your best bet it to simply try
it and let us know.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
Instead of asking why a piece of software is using "1970s technology,"
start asking why software is ignoring 30 years of accumulated wisdom.