Re: Thoughts on pg_hba.conf rejection

* Bruce Momjian <bruce(at)momjian(dot)us> [100414 16:20]:
> Joshua Tolley wrote:
> -- Start of PGP signed section.
> > On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote:
> > > On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > > Simon Riggs <simon(at)2ndQuadrant(dot)com> writes:
> > > >> When there is a specific reject rule, why does the server say
> > > >> FATAL: ?no pg_hba.conf entry
> > > >
> > > > It's intentional. ?We try to expose the minimum amount of knowledge
> > > > about the contents of pg_hba.conf to potential attackers.
> > >
> > > The problem with the message is not that it's uninformative, but that
> > > it's counterfactual.
> > >
> > > ...Robert
> >
> > I agree (I noticed and was bothered by this today, as a matter of irrelevant
> > fact). I can support the idea of exposing as little as possible of
> > pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that
> > standard. Just say something like "connection disallowed" and leave it at that
> > -- either it's disallowed by lack of a rule, or by existence of a "reject"
> > rule, or by something else entirely. As long as the message isn't clearly
> > wrong in the "reject" case, as it is now.
>
> Did we come to any conclusion on this?

I think it sort of just died. I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
"No pg_hba.conf authorizing entry"

That's no longer counter-factual, and works for both no entry, and a
rejecting entry...

a.
--
Aidan Van Dyk Create like a god,
aidan(at)highrise(dot)ca command like a king,
http://www.highrise.ca/ work like a slave.