Re: pg_hba.conf: samehost and samenet [REVIEW]

Magnus Hagander wrote:
> On Mon, Sep 21, 2009 at 20:12, Stef Walter <stef-list(at)memberwebs(dot)com> wrote:
>
>
> <snip>
>> Updated in attached patch.
>
> This patch does not build on Windows, the error is:
> ip.obj : error LNK2019: unresolved external symbol __imp__WSAIoctl(at)36 referenced
> in function _pg_foreach_ifaddr
> ip.obj : error LNK2019: unresolved external symbol __imp__WSASocketA(at)24 referenc
> ed in function _pg_foreach_ifaddr
> .\Release\libpq\libpq.dll : fatal error LNK1120: 2 unresolved externals
>
>
> I don't have time to investigate this further right now, so if
> somebody else want to dig into why that is happening that would be
> helpful :)

My windows VM is giving me problems, but I'll try look into it unless
someone else beats me to do it.

> Also, one thought - with samenet we currently from what I can tell
> enumerate all interfaces. Not just those we bind to based on
> listen_addresses. Is that intentional, or should we restrict us to
> subnets reachable through the interfaces we're actually listening on?

This would change the scope of the patch significantly. It seems that
adding that limitation is unnecessary. In my opinion, if stricter hba
security is required, and limiting to specific subnets are desired,
those subnets should be entered directly into the pg_hba.conf file.

Currently people are adding 0.0.0.0 to a default pg_hba.conf file in
order to allow access from nearby machines, without running into the
maintenance problems of hard coding IP addresses. However using 0.0.0.0
is clearly suboptimal from a security perspective.

I've seen the samenet feature as a way to avoid the use of 0.0.0.0 in
these cases.

Obviously people who would like stricter postgres security can configure
subnets manually, and would probably not be comfortable with 'automatic'
decisions being made about the subnets allowed.

Cheers,

Stef