Skip site navigation (1) Skip section navigation (2)

postgresql-7.1.3 pg_ctl password authentication and startup

From: Benjamin Yu <benjaminlyu(at)yahoo(dot)com>
To: pgsql-patches(at)postgresql(dot)org
Subject: postgresql-7.1.3 pg_ctl password authentication and startup
Date: 2001-09-22 20:07:04
Message-ID: 20010922200704.52522.qmail@web14802.mail.yahoo.com (view raw or flat)
Thread:
Lists: pgsql-patches
The problem:
 If password authentication is set, then startup
blocks waiting for a password to be given in stdin.

System:
 FreeBSD 4.4
 postgresql runs under user/group pgsql
 data directory owned by pgsql

Workaround:
 Modified the pg_ctl script to redirect a one line
password file to "$PGPATH/psql". The passwd file
exists in the data directory.
PASSFILE=$PGDATA/postmaster.passwd
 If the passwd file does not exist, an empty one will
be created with perm 600.

Security:
 If someone has root or pgsql os user access, then
they
can alter the data directory at will anyways. Putting
a plaintext passwd file in the data directory that
regular users cannot access anyways does not represent
any more of a security hazard that if someone had
access to the master.passwd files.
 Workaround a bit more secure than allowing trust to
all local users.
 
--- pg_ctl.sh   Sat Apr 21 04:23:58 2001
+++ /usr/local/bin/pg_ctl       Sat Sep 22 12:39:03
2001
@@ -56,8 +56,8 @@
 
 
 # Placed here during build
-bindir='@bindir@'
-VERSION='@VERSION@'
+bindir='/usr/local/bin'
+VERSION='7.1.3'
 
 # protect the log file
 umask 077
@@ -226,6 +226,11 @@
 DEFPOSTOPTS=$PGDATA/postmaster.opts.default
 POSTOPTSFILE=$PGDATA/postmaster.opts
 PIDFILE=$PGDATA/postmaster.pid
+PASSFILE=$PGDATA/postmaster.passwd
+if [ ! -e $PASSFILE ];then
+       touch $PASSFILE
+       chmod 600 $PASSFILE
+fi
 
 if [ $op = "status" ];then
     if [ -f $PIDFILE ];then
@@ -347,6 +352,10 @@
        do
 # FIXME:  This is horribly misconceived.
 # 1) If password authentication is set up, the
connection will fail.
+#      Kinda fixed. If password is set up, and the
$PASSFILE
+#      does not exist, then it will fail. If password
is setup
+#      and passwd file exists with the passwd, then
it will succeed.
+#      If password auth is not set, this will still
work.
 # 2) If a virtual host is set up, the connection may
fail.
 # 3) If network traffic filters are set up tight
enough, the connection
 #    may fail.
@@ -357,7 +366,7 @@
 # 6) If the dynamic loader is not set up correctly
(for this user/at
 #    this time), psql will fail (to find libpq).
 # 7) If psql is misconfigured, this may fail.
-           if "$PGPATH/psql" -l >/dev/null 2>&1
+           if "$PGPATH/psql" -l >/dev/null 2>&1 <
$PASSFILE
            then
                break;
            else

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com

Responses

pgsql-patches by date

Next:From: Bruce MomjianDate: 2001-09-22 21:33:44
Subject: Re: CREATE OR REPLACE FUNCTION
Previous:From: Tom LaneDate: 2001-09-22 15:57:00
Subject: Re: CREATE OR REPLACE FUNCTION

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group