Re: Spoofing as the postmaster

"Mark Mielke" <mark@mark.mielke.cc> writes:

> UNIX socket kernel credential passing was mentioned in an earlier post, but I
> didn't see it raised again. 

I mentioned getsockopt(SO_PEERCRED) which isn't the same as credential
passing. It just tells you what uid is on the other end of your unix domain
socket.

I think it's much more widespread and portable than credential passing which
was a BSD feature which allowed you to send along your kernel credentials to
another process. So you could, for example, open a file in psql then pass the
file descriptor to the backend to have the backend read directly from the
file.

--  Gregory Stark EnterpriseDB          http://www.enterprisedb.com Ask me about EnterpriseDB's RemoteDBA services!