On Dec 22, 2007 6:25 AM, Bruce Momjian <[EMAIL PROTECTED]> wrote:
>
> It is possible for the attacker to use one of the interfaces (tcp or
> unix domain) and wait for the postmaster to start. The postmaster will
> fail to start on the interface in use but will start on the other
> interface and the attacker could route queries to the active postmaster
> interface.
>
>
I am not very conversant with networking, but I see a possibly simple
solution. Why not refuse to start the postmaster if we are unable to bind
with any of the interfaces (all that are specified in the conf file).
This way, if the attacker has control of even one interface (and
optionally the local socket) that the clients are expected to connect to,
the postmaster wouldn't start and the attacker won't have any traffic to
peek into.
Best regards,
--
[EMAIL PROTECTED]
[EMAIL PROTECTED] gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
17° 29' 34.37"N, 78° 30' 59.76"E - Hyderabad
18° 32' 57.25"N, 73° 56' 25.42"E - Pune
37° 47' 19.72"N, 122° 24' 1.69" W - San Francisco *
http://gurjeet.frihost.net
Mail sent from my BlackLaptop device
