Return-Path: pg_adm@postgres.berkeley.edu
Received: by postgres.Berkeley.EDU (5.61/1.29)
	id AA17350; Wed, 6 May 92 09:17:02 -0700
Message-Id: <9205061617.AA17350@postgres.Berkeley.EDU>
From: Stuart Pook <stuart@genethon.genethon.fr>
Subject: Re: Using Postgres from Unix and security
To: postgres@postgres.berkeley.edu
Sender: pg_adm@postgres.berkeley.edu
In-Reply-To: mao@olympus.cs.berkeley.edu's message of
             Wed, 06 May 92 08:49:00 -0700.
             <9205061549.AA12994@olympus.CS.Berkeley.EDU> 
Organization: Genethon, 13 Place de Rungis, 75013 Paris, France
 tel +33 1 45.65.13.00, fax +33 1 45.88.52.20
X-Face: "6o}6kk")qjUnYYq-`3_.vGq;@xj`3>#I/>4>E>DldCv:X#2%Rm+dr9HVN`g'#QgZFgsYsY
 .Q)bH:AoaW(n~=2B4aY?Q?{)1]&J+:LRX,qB>k{=6`K#2tRitzHKmi_9`}Lx0xdI*r!?MVNj7za"pZ
 *_QEm})y`y=vyyy~^0GY"HTvSCnv}eP*?{%zJ<r'BRk[r|J#;Im"Vp]!L
Date: Wed, 06 May 92 18:17:07 +0200
From: Stuart Pook <stuart@genethon.genethon.fr>

Mike Olson writes:
> In message <9205061235.AA15522@postgres.Berkeley.EDU> you write:
> 
> > I have done this (at least to some extent).  I have modified the
> > postmaster so that it only accepts connections from my subnet and only
> > connections from privileged tcp ports.  I have modified the monitor so
> > that it is setuid root, uses a privileged port, and calls getuid(2) and
> > getpwent(3) to determine the user name to send to the postmaster.  In
> > this way the user name that the postmaster receives will be correct.
> > This was easy so I don't really know why somebody has not already done
> > it.  Perhaps I have missed something obvious.  Once I am sure that I am
> > not being naive I will post the patches.
> 
> restricting connections to those originating on your subnet certainly
> reduces the number of people who can mount an attack on your database,
> but the approach you describe doesn't solve the security problem.  i
> can write a program that does tcp socket operations and obeys the postgres
> frontend/backend protocol (easy to do since we distribute source code).
> i can have this program send any user name to the postmaster that i want.
> the postmaster can't authenticate data coming at it over a network.

I think that you have only looked at half of what I have done.  You,
or somebody on one of the machines in my subnet, _cannot_
talk to my postmaster because it only accepts connections coming in a
priviliged tcp port (ie a port number less than 1024).  Only a root process
can open such a port.  So only you cannot create a program which talks to
my postmaster unless you are root on one of the machines on my subnet.
My monitor, which is setuid root, will only send your real unix user name,
as found in /etc/passwd under your user id, to the postmaster.  This is,
I think, sufficient to solve the security problem on a subnet under a single
administration.

To repeat, you say:
> the postmaster can't authenticate data coming at it over a network.
If the port number is less than 1024 it knows that it is talking to root,
and my postmaster will only allow a connection in this case; and in this
case it _can_ believe the supplied user name.

Stuart Pook