Tom Lane wrote:
> Bruce Momjian <[EMAIL PROTECTED]> writes:
> > I am confused because you say "dangling" then you say "to the real
> > socket". You are saying it isn't dangling when the server is running?
>
> Exactly. When the server is running it provides a perfectly good path
> to the postmaster. The point (and the main difference from your PIDfile
> proposal) is that it's supposed to be there all the time, even when the
> postmaster isn't running. This is what provides protection against the
> spoofer getting there first.
OK, I have added documention suggesting the creation a symbolic link in
/tmp to prevent server spoofing when the socket file has been moved.
I think we can consider this issue concluded. I think SSL over unix
domain sockets has so much overhead as to be worse in most cases than
just creating the symlink.
Of course if someone comes up with a better idea we can reopen this.
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.403
diff -c -c -r1.403 runtime.sgml
*** doc/src/sgml/runtime.sgml 24 Jan 2008 06:23:32 -0000 1.403
--- doc/src/sgml/runtime.sgml 31 Jan 2008 17:21:57 -0000
***************
*** 1397,1403 ****
connections is to use a Unix domain socket directory (<xref
linkend="guc-unix-socket-directory">) that has write permission only
for a trusted local user. This prevents a malicious user from creating
! their own socket file in that directory. For TCP connections the server
must accept only <literal>hostssl</> connections (<xref
linkend="auth-pg-hba-conf">) and have SSL
<filename>server.key</filename> (key) and
--- 1397,1412 ----
connections is to use a Unix domain socket directory (<xref
linkend="guc-unix-socket-directory">) that has write permission only
for a trusted local user. This prevents a malicious user from creating
! their own socket file in that directory. If you are concerned that
! some applications might still look in <filename>/tmp</> for the
! socket file and hence be vulnerable to spoofing, create a symbolic link
! during operating system startup in <filename>/tmp</> that points to
! the relocated socket file. You also might need to modify your
! <filename>/tmp</> cleanup script to preserve the symbolic link.
! </para>
!
! <para>
! For TCP connections the server
must accept only <literal>hostssl</> connections (<xref
linkend="auth-pg-hba-conf">) and have SSL
<filename>server.key</filename> (key) and
---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?
http://archives.postgresql.org
