Обсуждение: Cygwin AF_UNIX socket security improvement patch
The following patch has been recently applied to Cygwin CVS: http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html I hoping that someone knowledgeable in the area of PostgreSQL sockets communication can comment on whether or not this will really improve Cygwin PostgreSQL AF_UNIX socket security. Recall that Cygwin's AF_UNIX sockets are really implemented as AF_INET sockets. Specifically, I'm interested in whether or not the remaining sendto() and recvfrom() caveats minimize the effectiveness of this patch with regards to PostgreSQL. Thanks, Jason -- Jason Tishler Director, Software Engineering Phone: +1 (732) 264-8770 x235 Dot Hill Systems Corp. Fax: +1 (732) 264-8798 82 Bethany Road, Suite 7 Email: Jason.Tishler@dothill.com Hazlet, NJ 07730 USA WWW: http://www.dothill.com
* Jason Tishler <Jason.Tishler@dothill.com> [010410 14:00] wrote: > The following patch has been recently applied to Cygwin CVS: > > http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html > > I hoping that someone knowledgeable in the area of PostgreSQL sockets > communication can comment on whether or not this will really improve > Cygwin PostgreSQL AF_UNIX socket security. Recall that Cygwin's AF_UNIX > sockets are really implemented as AF_INET sockets. Specifically, I'm > interested in whether or not the remaining sendto() and recvfrom() caveats > minimize the effectiveness of this patch with regards to PostgreSQL. If sendto/recvfrom aren't covered then there's most likely still some problems with security. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Represent yourself, show up at BABUG http://www.babug.org/
* Alfred Perlstein <bright@wintelcom.net> [010410 14:04] wrote: > * Jason Tishler <Jason.Tishler@dothill.com> [010410 14:00] wrote: > > The following patch has been recently applied to Cygwin CVS: > > > > http://www.cygwin.com/ml/cygwin-patches/2001-q2/msg00006.html > > > > I hoping that someone knowledgeable in the area of PostgreSQL sockets > > communication can comment on whether or not this will really improve > > Cygwin PostgreSQL AF_UNIX socket security. Recall that Cygwin's AF_UNIX > > sockets are really implemented as AF_INET sockets. Specifically, I'm > > interested in whether or not the remaining sendto() and recvfrom() caveats > > minimize the effectiveness of this patch with regards to PostgreSQL. > > If sendto/recvfrom aren't covered then there's most likely still some > problems with security. Actually, since the code requires accept() to complete on the server (knowledge of the key) it may work, your best bet it to simply try it and let us know. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.