Re: Upcoming re-releases
Florian Weimer <fw@deneb.enyo.de>
From: Florian Weimer <fw@deneb.enyo.de>
To: Martijn van Oosterhout <kleptog@svana.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Andrew Dunstan <andrew@dunslane.net>, Alvaro Herrera <alvherre@commandprompt.com>, Christopher Kings-Lynne <chriskl@familyhealth.com.au>, Devrim GUNDUZ <devrim@commandprompt.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2006-02-11T17:21:04Z
Lists: pgsql-hackers
* Martijn van Oosterhout: > Well, I guess it's an issue. At least it's not suceptable to the > standard symlink attacks. There is in general no way of knowing if the > server you are connecting to is what you think it is (except via SSL > maybe?). For local (i.e. UNIX domain socket) connections, there is -- just use a hard-coded path where each directory is only writable by root or by the PostgreSQL superuser (/var/run in Debian is not world-writable, for instance). > The good thing is that if you're using md5 auth they can't grab your > password. The password is probably of little concern if you use UNIX domain sockets. But feeding wrong data to the application might trigger interesting things.