Re: Bug#95818: libpgsql2.1: should not depend on ident-server

To: debian-devel@lists.debian.org
Subject: Re: Bug#95818: libpgsql2.1: should not depend on ident-server
From: Brian May <bam@debian.org>
Date: 01 May 2001 09:33:27 +1000
Message-id: <[🔎] 84puduufnc.fsf@snoopy.apana.org.au>
In-reply-to: <[🔎] 200104301223.f3UCNiiW002259@linda.lfix.co.uk>
References: <robbe@orcus.priv.at> <20010430110253.6E2ECEF22@hoss.orcus.priv.at> <[🔎] 200104301223.f3UCNiiW002259@linda.lfix.co.uk>

>>>>> "Oliver" == Oliver Elphick <olly@lfix.co.uk> writes:

    Oliver> It is indeed the case that ident is needed to allow local
    Oliver> access without a password.  I understand that this
    Oliver> presents a small security risk on the server.  However,
    Oliver> without it, it is necessary for the postgres
    Oliver> administrator's database password to be held in clear in
    Oliver> some file, so that the automatic clean-up processes will
    Oliver> be able to operate.

Could be a disaster on some systems. I think same ident servers, like
oidentd, allow individual users to customise their own responses:

[...]

       -s     Allow identd reply spoofing. In order  for  a  non-
              root  user  to spoof its identd reply, the username
              must be listed in /etc/identd.spoof.   The  spoofed
              reply   can   optionally   be   specified   in  the
              /etc/identd.spoof   file.     For    example,    if
              "user:string"  were  an entry in /etc/identd.spoof,
              any successful lookups for "user" would  result  in
              the reply "string" being returned.  If the reply is
              not specified in the  /etc/identd.spoof  file,  the
              spoofed  reply will be read from an .ispoof file in
              the user's home directory. If a user is not allowed
              to  spoof identd replies or there is an error read
              ing the .ispoof file,  if  the  -r  flag  has  been
              passed to identd, a randomized identd reply will be
              returned. If  not,  the  user's  username  will  be
              returned.  Non-root  users  are  allowed  to  spoof
              identd replies on ports greater than 1023. Non-root
              users  may spoof identd replies on all ports if the
              -A option is specified.

       -S     Same as '-s' but allow all users  to  spoof  identd
              replies  except  for  those  users  listed  in  the
              /etc/identd.spoof file.

[...]

       $HOME/.ispoof
              File containing username to return when oidentd  is
              run with the -s flag.

[note: the above requires careful reading; in order to enable non-root
spoofing you have to pass -s *and* put the user in the
/etc/identd.spoof file *without* a reply; -S is different]

This isn't something I like (read: hate), but I am bringing it up
because it could be a serious security hole when used by programs like
postgresql.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: Bug#95818: libpgsql2.1: should not depend on ident-server
  - From: "Oliver Elphick" <olly@lfix.co.uk>

Prev by Date: Re: Proposing task-debian
Next by Date: Re: Many ports open by default
Previous by thread: Re: Bug#95818: libpgsql2.1: should not depend on ident-server
Next by thread: drivers
Index(es):
- Date
- Thread