Tom Lane wrote:
> Alvaro Herrera <alvherre@commandprompt.com> writes:
> > Perhaps the easiest thing to do is to create a (possibly dangling)
> > symlink in /tmp to the real socket in a protected dir.
>
> Cute idea ...
>
> > One thing to be aware of is /tmp cleaners ...
>
> ... but that would definitely be a problem. I think on most systems
> you'd have to explicitly tweak the /tmp-cleaning script to know not to
> zap such a link. Given that such a local customization would probably
> disappear in your next system update, the security gain might be
> fleeting.
Ok, I checked on my system and if I upgrade the /tmp cleaner
(tmpreaper), my customization to the config file is not lost.
Somebody else said elsewhere that if you configure tmpwatch on Redhat
and later upgrade it, the config change is not lost.
That's two popular platforms on which this is a surmountable problem.
So my suggestion is to document this threat, the dangling-symlink
approach, and the need to configure the system's /tmp-cleaner.
Additionally, we can patch the postmaster so that it throws a WARNING if
it finds that the /tmp symlink (when configured to put the socket
somewhere else) is not present.
BTW I noticed that tmpreaper is disabled even after installed,
mentioning a security flaw which is said to be impossible to close --
and points to
http://lists.openwall.net/full-disclosure/2002/12/20/19
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support