From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Eric Leblond <eric@regit.org>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: pgsql-ulogd2
Date: Sun, 15 Jul 2012 13:33:09 +0100 [thread overview]
Message-ID: <5002B885.4090909@googlemail.com> (raw)
In-Reply-To: <5002B688.4070907@googlemail.com>
> Yep, the pgsql plugin makes extensive use of pg_namespace, pg_class
> and pg_attribute which are system tables. These contain definitions of
> every single object registered on that database server and is a major
> security risk (as I pointed out, if that ulogd connection to the
> database server is hijacked, then the attacker could find out what is
> on that database without any problems, which is not good).
>
> I had in mind exactly what you've suggested above - use a separate,
> manually-registered table containing the table columns and their
> mapping to ulogd2 parameters - much less risk and everything is
> configurable, though the downside is that the two tables need to be
> synchronised if the structure of the main ulogd table changes (columns
> renamed or added).
One other thing which I forgot to ask: currently, the pgsql plugin uses
an unencrypted connection to the database server. I haven't studied the
underlying source code which handles pgsql-specific functions, but in
principle it is possible to use encrypted (SSL) connections to the
server by using client/server certificates. Has this been attempted and
considered to be included as an option to that particular plugin?
If not, would there be any objections if such feature is implemented
(obviously, there will be a need to add additional parameters to that
plugin to configure the type of connection, client/server/ca
certificates etc)?
next prev parent reply other threads:[~2012-07-15 12:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-13 14:13 pgsql-ulogd2 Mr Dash Four
2012-07-13 15:55 ` pgsql-ulogd2 Eric Leblond
2012-07-14 13:00 ` pgsql-ulogd2 Mr Dash Four
2012-07-14 21:22 ` pgsql-ulogd2 Eric Leblond
2012-07-15 12:24 ` pgsql-ulogd2 Mr Dash Four
2012-07-15 12:33 ` Mr Dash Four [this message]
2012-07-15 20:52 ` pgsql-ulogd2 Eric Leblond
2012-07-15 22:36 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 6:33 ` pgsql-ulogd2 Eric Leblond
2012-07-16 12:43 ` pgsql-ulogd2 Mr Dash Four
2012-07-17 23:29 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 8:00 ` pgsql-ulogd2 Florian Westphal
2012-07-16 10:51 ` pgsql-ulogd2 Pablo Neira Ayuso
2012-07-16 12:52 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 13:27 ` pgsql-ulogd2 Florian Westphal
2012-07-16 15:28 ` pgsql-ulogd2 Pablo Neira Ayuso
2012-07-17 23:29 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 10:49 ` pgsql-ulogd2 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5002B885.4090909@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).