Re: Spoofing as the postmaster

Tomasz Ostrowski <tometzky@batory.org.pl> writes:
> So I'm not very fond of this "insecure by default, it's your problem
> to make it secure" attitude. I'm the one who reported this.

IIRC, you started out your argument by also saying that we had to move
the TCP socket to the reserved range, so as to prevent the equivalent
problem in the TCP case.  (And, given the number of clients such as
JDBC that can only connect via TCP, it certainly seems there's little
point in changing the socket case if we don't change the TCP case.)

So let's look at the implications:

1. Postmaster must be started as root, thereby introducing security
risks of its own (ie, after breaking into the DB, an attacker might be
able to re-acquire root privileges).

2. Can only have one postmaster per machine (ICANN is certainly not
going to give us dozens of reserved addresses).

3. Massive confusion and breakage as various people transition to the
new standard at different times.

4. Potential to create, rather than remove, spoofing opportunities
anyplace there is confusion about which port the postmaster is really
listening on.

And at the end of the day there are still any number of ways to
configure your system insecurely...

Fundamentally these are man-in-the-middle attacks, and the only real
solution is mutual authentication.  Pretending that some quick-fix
change eliminates that class of problem is a recipe for building systems
that are less secure, not more so.
        regards, tom lane