Bruce Momjian wrote:
> My feeling on the moving of sockets risk is that you are probably going
> to have all your clients using the new socket directory before anyone
> tries to put something in /tmp, especially if you have the lock file in
> /tmp as outlined above. To spoof in such a situation you would need to
> do the attack while the server is down _and_ against a client that
> doesn't know the right socket location.
Perhaps the easiest thing to do is to create a (possibly dangling)
symlink in /tmp to the real socket in a protected dir. This symlink
would be created at start time by an early init script and never
deleted.
So when postmaster is down, the symlink is dangling but it cannot be
overwritten by the attacker. And when postmaster is running, the client
can find the true socket via either path.
One thing to be aware of is /tmp cleaners ...
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support