Re: SSL over Unix-domain sockets
| От | Peter Eisentraut |
|---|---|
| Тема | Re: SSL over Unix-domain sockets |
| Дата | |
| Msg-id | 200904062042.39318.peter_e@gmx.net обсуждение исходный текст |
| Ответ на | Re: SSL over Unix-domain sockets (Martijn van Oosterhout <kleptog@svana.org>) |
| Список | pgsql-hackers |
On Wednesday 01 April 2009 20:37:56 Martijn van Oosterhout wrote: > On Tue, Mar 31, 2009 at 11:33:26PM +0300, Peter Eisentraut wrote: > > On Saturday 28 March 2009 00:42:28 Bruce Momjian wrote: > > > I assume directory permissions controlling access to the socket file > > > would be enough. You are going to have to set up SSL certificates > > > anyway for this so isn't that just as hard as telling the client where > > > the socket file is located? > > > > The permissions on the socket file or the containing directory doesn't > > tell much by itself, because you also need to consider who owns it. What > > that basically comes down to is that the client would need to specify > > something like, "I only want a connection to a server owned by > > 'postgres'." But the client currently has no way of saying that, so we'd > > need to invent something new. > > If you're going to get complicated, go the whole way do SO_PEERCRED on > the socket, then you get the UID of the server... I have added this to the Todo list.
В списке pgsql-hackers по дате отправления: