<br /><br /><div class="gmail_quote">On Dec 22, 2007 6:25 AM, Bruce Momjian <<a
href="mailto:bruce@momjian.us">bruce@momjian.us</a>>wrote:<br /><blockquote class="gmail_quote" style="border-left:
1pxsolid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br />It is possible for the attacker to
useone of the interfaces (tcp or<br />unix domain) and wait for the postmaster to start. The postmaster will<br />fail
tostart on the interface in use but will start on the other<br />interface and the attacker could route queries to the
activepostmaster <br />interface.<br /><font color="#888888"><br /></font></blockquote></div><br />I am not very
conversantwith networking, but I see a possibly simple solution. Why not refuse to start the postmaster if we are
unableto bind with any of the interfaces (all that are specified in the conf file). <br /><br /> This way, if the
attackerhas control of even one interface (and optionally the local socket) that the clients are expected to connect
to,the postmaster wouldn't start and the attacker won't have any traffic to peek into. <br /><br clear="all" />Best
regards,<br/>-- <br />gurjeet[.singh]@EnterpriseDB.com<br />singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo
}.com<br/><br />EnterpriseDB <a href="http://www.enterprisedb.com">http://www.enterprisedb.com </a><br /><br />17°
29'34.37"N, 78° 30' 59.76"E - Hyderabad<br />18° 32' 57.25"N, 73° 56' 25.42"E - Pune<br />37° 47' 19.72"N, 122° 24'
1.69"W - San Francisco *<br /><br /><a href="http://gurjeet.frihost.net"> http://gurjeet.frihost.net</a><br /><br
/>Mailsent from my BlackLaptop device