Re: Spoofing as the postmaster
| От | Peter Eisentraut |
|---|---|
| Тема | Re: Spoofing as the postmaster |
| Дата | |
| Msg-id | 200712272133.02327.peter_e@gmx.net обсуждение исходный текст |
| Ответ на | Re: Spoofing as the postmaster (Magnus Hagander <magnus@hagander.net>) |
| Список | pgsql-hackers |
Magnus Hagander wrote: > > How expensive would it be to implement a "server_user" db open parameter > > that would perform reverse credential passing to validate? "dbname=XXX > > port=5432 server_user=postgres". If the server can't prove it is > > postgres through UNIX socket credential passing, it fails. Similarly, > > Probably not very, but you should be able to achieve the same thing by > moving the socket to a protected directory, I think? What you are ulimately interested in is who runs a given server. Making the inference that if the socket is in a directory that is currently only writable by a certain user implies that the user owns the server that offers that socket doesn't sound like a given to me. And let's forget that it's not really straightforward to find out who has write access to some directory. -- Peter Eisentraut http://developer.postgresql.org/~petere/
В списке pgsql-hackers по дате отправления: