Restricting permissions on Unix socket

I'd like to add an option or two to restrict the set of users that can
connect to the Unix domain socket of the postmaster, as an extra security
option.

I imagine something like this:

unix_socket_perm = 0660
unix_socket_group = pgusers

Obviously, permissions that don't have 6's in there don't make much sense,
but I feel this notation is the most intuitive way for admins.

I'm not sure how to do the group thing, though. If I use chown(2) then
there's a race condition, but doing savegid; create socket; restoregid
might be too awkward? Any hints?

Just curious. What is a race condition?

Bob Kernell
Research Scientist
Surface Validation Group
Atmospheric Sciences Competency
Analytical Services & Materials, Inc.
email: kernell@sundog.larc.nasa.gov
tel: 757-827-4631

* Peter Eisentraut <peter_e@gmx.net> [001031 12:57] wrote:

I'd like to add an option or two to restrict the set of users that can
connect to the Unix domain socket of the postmaster, as an extra security
option.

I imagine something like this:

unix_socket_perm = 0660
unix_socket_group = pgusers

Obviously, permissions that don't have 6's in there don't make much sense,
but I feel this notation is the most intuitive way for admins.

I'm not sure how to do the group thing, though. If I use chown(2) then
there's a race condition, but doing savegid; create socket; restoregid
might be too awkward? Any hints?

Set your umask to 777 then go to town.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."