Re: Spoofing as the postmaster
| От | D'Arcy J.M. Cain |
|---|---|
| Тема | Re: Spoofing as the postmaster |
| Дата | |
| Msg-id | 20071223105649.5a699325.darcy@druid.net обсуждение исходный текст |
| Ответ на | Re: Spoofing as the postmaster (Gregory Stark <stark@enterprisedb.com>) |
| Список | pgsql-hackers |
On Sun, 23 Dec 2007 07:57:07 +0000 Gregory Stark <stark@enterprisedb.com> wrote: > "D'Arcy J.M. Cain" <darcy@druid.net> writes: > > It's generally a bad idea to put your database on a public server > > anyway but if you do you should definitely disable unix domain sockets > > and connect over TCP to localhost. That has been our rule for years. > > That seems like a terrible idea. At least while you're dealing with unix > domain sockets you know there's no way a remote user could possibly interfere > with or sniff your data. As soon as you're dealing with TCP it's a whole new > ballgame. Are you suggesting that you would have Unix domain sockets only? I have never seen this scenario other than dedicated db/web/etc servers that don't have public users so that's not an issue anyway. Once you are allowing untrusted users access you are probably allowing remote access as well. Two different models and two different security requirements n'est pas? Certainly the scenario where you have untrusted users on a server and require that only logged in users can access the database is possible. I have just never seen it and suspect that it is rare. Since I am suggesting that this is really a documentation and warning issue then this possibility can be examined and discussed in the documentation. > X famously had a problem on many OSes where you could spoof the first packet > (and if you could predict sequence numbers more than that) of a connection > allegedly coming from 127.0.0.1. (it helped that a message to open up > connections from anywhere fit in one packet...) Modern OSes include network > filters to block such spoofs but it's one more thing you're counting on. Well, yes, I do count on the OS being reasonably modern and secure. I don't think that that is an unreasonable expectation. > Also brought into place are things like forged RST packets, routing table > attacks, and on and on. If this is an issue then don't allow remote access. In this case Unix domain sockets only make sense. -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
В списке pgsql-hackers по дате отправления: