Re: Spoofing as the postmaster

Gregory Stark wrote: <blockquote cite="mid:87prww1zks.fsf@oxford.xeocode.com" type="cite"><pre wrap="">"Mark Mielke"
<aclass="moz-txt-link-rfc2396E" href="mailto:mark@mark.mielke.cc"><mark@mark.mielke.cc></a> writes:
</pre><blockquotetype="cite"><pre wrap="">UNIX socket kernel credential passing was mentioned in an earlier post, but
I
didn't see it raised again.    </pre></blockquote><pre wrap="">
I mentioned getsockopt(SO_PEERCRED) which isn't the same as credential
passing. It just tells you what uid is on the other end of your unix domain
socket.

I think it's much more widespread and portable than credential passing which
was a BSD feature which allowed you to send along your kernel credentials to
another process. So you could, for example, open a file in psql then pass the
file descriptor to the backend to have the backend read directly from the
file</pre></blockquote> I agree - I forgot there were different flavours. I think any of these are just as good as SSL
withpublic key authentication, and perhaps a lot cheaper in terms of performance. The only piece of information missing
isthe uid to compare against, which may as well be provided in the db open parameters the same as any other parameters
mightbe provided.<br /><br /> Cheers,<br /> mark<br /><br /><pre class="moz-signature" cols="72">-- 
 
Mark Mielke <a class="moz-txt-link-rfc2396E" href="mailto:mark@mielke.cc"><mark@mielke.cc></a>
</pre>