Re: Upcoming re-releases
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Martijn van Oosterhout <kleptog@svana.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2006-02-11T16:41:01Z
Lists: pgsql-hackers
Martijn van Oosterhout <kleptog@svana.org> writes: > These no real way around this. The only real option would be moving to > a home directory but that would require knowing the username the server > is running under... And the problem would still exist, with even less chance of solution, for TCP connections which are probably the majority of real-world usage. If you're concerned about this sort of attack I think it has to be solved in the protocol, not by reliance on socket placement. I'm not sure whether our current SSL support does a good job of this --- I think it only tries to check whether the server presents a valid certificate, not which cert it is. Possibly Kerberos does more, but I dunno a thing about that... regards, tom lane