On Dec 23, 2007 12:20 PM, Bruce Momjian <bruce@momjian.us> wrote:
> Gurjeet Singh wrote:
> > On Dec 22, 2007 6:25 AM, Bruce Momjian <bruce@momjian.us> wrote:
> > This way, if the attacker has control of even one interface (and
> > optionally the local socket) that the clients are expected to connect to,
> > the postmaster wouldn't start and the attacker won't have any traffic to
> > peek into.
>
> Yes, that would fix the problem I mentioned but at that point the
> attacker already has passwords so they can just connect themselves.
> Having the server fail if it can't get one interface makes the server
> less reliable.
It doesn't solve the spoofing attack problem, but isn't Gurjeet's idea
a good one in any case?
If the postmaster can't bind on one of the specified interfaces, then
at the least, haven't you got got a serious configuration error the
sysadmin would want to know about? Having postmaster fail seems like
a sensible response.
"I can't start with the configuration you've given me, so I won't
start at all" is fairly normal behaviour for a server process, no?
Regards,
BJ