Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] Re: Debian's PostgreSQL packages

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Oliver Elphick <olly(at)lfix(dot)co(dot)uk>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, "J(dot)H(dot)M(dot) Dassen (Ray)" <jdassen(at)cistron-office(dot)nl>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [GENERAL] Re: Debian's PostgreSQL packages
Date: 2001-09-05 04:48:35
Message-ID: 200109050448.f854mZ201972@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
Funny, I found this going through my mailbox.  Seems I was going to
return to this SO_PEERCRED anyway.

> Bruce Momjian wrote:
>   >> > I think our current idea is to have people run local ident servers to
>   >> > handle this.  We don't have any OS-specific stuff in pg_hba.conf and I
>   >> > am not sure if we want to add that complexity.  What do others think?
>   >> 
>   >> This is not any less "specific" than SSL or Kerberos.  Note that opening a
>   >> TCP/IP socket already opens a theoretical hole to the world.  Unix domain
>   >> is much safer.
>   >
>   >You can install SSL/Kerberos on any Unix, and many come pre-installed. 
>   >You can't add unix-domain socket user authentication to any OS.
>   >
>   >I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
>   >a hole:
>   >
>   >127                       127.0.0.1                UGRS    4352 lo0
>   >127.0.0.1                 127.0.0.1                UH      4352 lo0
>   >
>   >However, the security issue may make it worthwhile.  Which OS's support
>   >user authentication again, and can we test via configure?  Maybe we can
>   >strip out the mention in the pg_hba.conf file if it is not supported on
>   >that OS.
>  
> The security issue is why I developed it.  There were complaints from people 
> who did not want to have identd running at all.
> 
> I think the feature is available in Linux, Solaris and some BSD.  It can be
> tested for by whether SO_PEERCRED is defined in sys/socket.h.
> 
> I don't see the need to strip mention from the comments in pg_hba.conf.  The
> situation is no different from those systems which do not have Kerberos or
> SSL available.
> 
> -- 
> Oliver Elphick                                Oliver(dot)Elphick(at)lfix(dot)co(dot)uk
> Isle of Wight                              http://www.lfix.co.uk/oliver
> PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
> GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
>                  ========================================
>      "I waited patiently for the LORD; and he inclined unto 
>       me, and heard my cry. He brought me up also out of an 
>       horrible pit, out of the miry clay, and set my feet 
>       upon a rock, and established my goings. And he hath 
>       put a new song in my mouth, even praise unto our God.
>       Many shall see it, and fear, and shall trust in the 
>       LORD."                 Psalms 40:1-3 
> 
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
> http://www.postgresql.org/users-lounge/docs/faq.html
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-09-05 04:55:52
Subject: Re: Planned changes to pg_am catalog
Previous:From: Bruce MomjianDate: 2001-09-05 04:42:35
Subject: Re: Bug in createlang?

pgsql-general by date

Next:From: Jan WieckDate: 2001-09-05 05:34:05
Subject: Re: internet week article
Previous:From: Bruce MomjianDate: 2001-09-05 04:42:35
Subject: Re: Bug in createlang?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group