Bruce Momjian <maillist@candle.pha.pa.us> writes:
>> That's a detail I'm in doubt about. Our defaults for AF_UNIX
>> sockets is trust (and AFAIK must be because identd cannot
>> handle them). Thus any user who has a local shell account
>> could easily become db user postgres.
>>
>> I think a default of host-localhost-ident-sameuser and giving
>> superusers the builtin right to become everyone would gain
>> higher security.
> But can we assume ident is running. I don't think so.
No, we cannot make the default installation dependent on any nonstandard
software. Jan's right, though: the default setup is not secure against
local attackers.
Perhaps we ought to make the default setup use password protection?
That would at least force people to take extra steps to open themselves
to easy attack.
There is still the issue of allowing the superuser to become everyone.
Right now, a pg_dump -z script is extremely painful to run if the
protection setup requires passwords (I am not sure it even works, but
certainly having to enter a password at each ownership swap would be
no fun). It wouldn't work at all under ident authorization. I think
we need some sort of "real vs effective userid" scheme to allow a
superuser-started session to switch to any userid without requiring a
password. (Maybe that's the same thing Jan has in mind.)
Also, it's pointless to pretend we have much security against local
attackers as long as the socket file is being created in /tmp.
On a system that doesn't have "sticky bits" for directories, a local
attacker could substitute his own socket file and then spoof the
protocol to steal legitimate users' passwords... I recall we discussed
moving the socket location to a directory only writable by postgres,
but didn't get around to doing anything about it.
To run a really secure server on a machine where you didn't trust all
the local users, without the annoyance of passwords, you'd need to set
up host-localhost-ident-sameuser *and* disable access through the
AF_UNIX socket. Is that possible now? (I guess you could configure
host localhost reject ...)
regards, tom lane