| From: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Aidan Van Dyk <aidan(at)highrise(dot)ca>, Joshua Tolley <eggyknap(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Thoughts on pg_hba.conf rejection |
| Date: | 2010-04-19 19:10:49 |
| Message-ID: | 1271704250.8305.19916.camel@ebony |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, 2010-04-15 at 09:44 -0400, Tom Lane wrote:
> Maybe uaImplicitReject for the end-of-file case would be
> the most readable way.
uaImplicitReject capability added.
We're now free to bikeshed on exact wording. After much heavy thinking,
message is "pg_hba.conf rejects..." with no hint (yet?).
Point of note on giving information to the bad guys: if a
should-be-rejected connection request attempts to connect to a
non-existent database, we say "database does not exist". If db does
exist we say "pg_hba.conf rejects...". To me that looks like giving info
away... if an IP address range is rejected always then telling them
whether or not a particular database name exists seems like something I
would not wish to expose.
--
Simon Riggs www.2ndQuadrant.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2010-04-19 19:14:44 | Re: Standalone backends run StartupXLOG in an incorrect environment |
| Previous Message | Tom Lane | 2010-04-19 18:34:20 | Re: Standalone backends run StartupXLOG in an incorrect environment |