Discussion about this post

User's avatar
Richard's avatar

Yeah, a bug... BUT, the article was quite incomplete - lacking, from my POV. I will, however, call-out the quote from Aslan: I WAS there when Postgres was being moved from a UCB student project to an open-source one. IIRC, it was Paul Aoki who was rewriting the parser to change the primary language of Postgres from (the FAR superior) QUEL language syntax to the (inferior in expressibility of set-theory logic) SQL, and thus when/why SQL was tacked on to the name.

Anyway, regarding the article:

1) It should have pointed out that ONLY the truly clueless provides a web-accessable path to psql! Beyond Trust's REAL name should be Beyond Trusting, as in naive! Stupid! FOOLISH! (If someone has a legitimate need for this, then they should get in as themselves with all the security and tracking THEIR status should experience - and all of it, at least the SQL itself - should be and easily can be logged. See bullet 3 below.)

2) It should have pointed out how the System / Postgres administrator(s) are just as equal fools because they COULD have and SHOULD have put all such access through the funnel of a non-privileged account so EVEN IF someone cracked in, they can't DO anything really damaging! This is what NON-PRIVILEGED ACCOUNTS ARE FOR! Aside from not providing a path to psql in the first place, you don't give your guest account ANY access to "the system catalogues."

3) It should have introduced the audience to Client Certificate Authentication. Postgres has it, so does ssh. ALL serious institutional level through-the-web computing is done this way. It's the ONLY way to RATIONALLY provide web-access to anything sensitive. And even this technique has a couple of levels of confirmation that can be set up such as a known client-host, etc.

4) It should have mentioned that, oh, by the way, what was described is akin to finding a key under a doormat, and just as with a house where there might be a vicious doberman lurking inside, just a way in isn't the whole story. There are potentially quite a few issues a would-be cracker has to resolve to get anything useful out of it.

5) The bigger story just might well be how long this has been actually exploited out there but of course the people who know aren't talking.

We used to have monthly Postgres meetups in the SF Bay Area, but the pandemic ended that... Would be interesting to attend the next big PG conference(s), I'll bet there'll be someone who knows more present.

Expand full comment
SnegSibiry's avatar

You've added the wrong letter in the beginning. That is the letter, sent back from the Congress to The Treasury, not vice versa.

Expand full comment
1 more comment...

No posts