* Alvaro Herrera <[EMAIL PROTECTED]> [080115 07:24]: > Tom Lane wrote: > > > It strikes me that given the postmaster's infrastructure for listening > > on multiple sockets, it would be a pretty small matter of programming > > to teach it to listen on socket files in multiple directories not only > > one. > > The problem with this idea is that if the postmaster goes away, both > sockets go away, which means the attacker can place his socket in /tmp > as he sees fit.
So, make your postmaster listen in a secure location (i.e. /var/run/postgresl/.s.PGSQL.5432), and have some init script that runs *before* your attacker put a symlink in /tmp/s.PGSQL.5432 pointing to it. This "init" script could even be the normal system postgres init script. As long as your symlink is made before your attacker get's a chance to run anything, your attacker can't change/replace it (or you have more serious problems), and your "safe" location is protected while you've stopped the postmaster by normal unix permisions. I don't think we need to go off trying to build anything new. A little bit of documentation mentioning that creating/removing the socket from /tmp can lead to a possible spoofed situation is all you need. Normal unix permissions can solve the problem completely. a. -- Aidan Van Dyk Create like a god, [EMAIL PROTECTED] command like a king, http://www.highrise.ca/ work like a slave.
signature.asc
Description: Digital signature
