Re: [HACKERS] Query cancel and OOB data
| От | Tom Lane |
|---|---|
| Тема | Re: [HACKERS] Query cancel and OOB data |
| Дата | |
| Msg-id | 3968.896023782@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Query cancel and OOB data (Bruce Momjian <maillist@candle.pha.pa.us>) |
| Ответы |
Re: [HACKERS] Query cancel and OOB data
(Bruce Momjian <maillist@candle.pha.pa.us>)
Re: [HACKERS] Query cancel and OOB data (ocie@paracel.com) |
| Список | pgsql-hackers |
Bruce Momjian <maillist@candle.pha.pa.us> writes:
> I was trying to avoid the
> 'magic cookie' solution for a few reasons:
> 1) generating a random secret codes can be slow (I may be wrong)
Not really. A typical system rand() subroutine is a multiply and an
add. For the moment I'd recommend generating an 8-byte random key with
something like
for (i=0; i<8; i++)
key[i] = rand() & 0xFF;
which isn't going to take enough time to notice.
The above isn't cryptographically secure (which means that a person who
receives a "random" key generated this way might be able to predict the
next one you generate). But it will do to get the protocol debugged,
and we can improve it later. I have Schneier's "Applied Cryptography"
and will study its chapter on secure random number generators.
> 2) the random key is sent across the network with a cancel
> request, so once it is used, it can be used by a malcontent to cancel
> any query for that backend.
True, if you have a packet sniffer then you've got big troubles ---
on the other hand, a packet sniffer can also grab your password,
make his own connection to the server, and wreak much more havoc
than just issuing a cancel. I don't see that this adds any
vulnerability that wasn't there before.
> 3) I hesitate to add the bookkeeping in the postmaster and libpq
> of that pid/secret key combination. Seems like some bloat we could do
> without.
The libpq-side bookkeeping is trivial. I'm not sure about the
postmaster though. Does the postmaster currently keep track of
all operating backend processes, or not? If it does, then another
field per process doesn't seem like a problem.
> 4) You have to store the secret key in the client address space,
> possibly open to snooping.
See password. In any case, someone with access to the client address
space can probably manage to send packets from the client, too. So
"security" based on access to the client/backend connection isn't any
better.
> This basically simulates OOB by sending a message to the postmaster,
> which is always listening, and having it send a signal, which is
> possible because they are owned by the same user.
Right.
Maybe we should look at this as a fallback that libpq uses if it
tries OOB and that doesn't work? Or is it not a good idea to have
two mechanisms?
regards, tom lane
В списке pgsql-hackers по дате отправления: