Skip site navigation (1) Skip section navigation (2)

Re: pg_hba.conf: samehost and samenet [REVIEW]

From: Stef Walter <stef-list(at)memberwebs(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: stef(at)memberwebs(dot)com, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Date: 2009-09-23 23:56:47
Message-ID: 4ABAB5BF.60002@memberwebs.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Tom Lane wrote:
> Stef Walter <stef-list(at)memberwebs(dot)com> writes:
>> Allowing host names in pg_hba.conf would also solve this problem,
>> although the last person who tried to implement this it was a topic of
>> contention. I asked if I should focus on reverse DNS host names in
>> pg_hba.conf or portability for this samenet patch, and it was indicated
>> that I should do the latter.
> 
> Agreed, a DNS-based solution would be a huge pain in the rear to do
> correctly.  However, I think what Robert wanted to know was just how
> portable you believe this solution is.  If it doesn't work, and work
> pretty much the same, on all our supported platforms then I'm afraid
> we can't use it.  

It does work the same on the platforms noted earlier. After work today,
I'll put time into making sure that the winsock build problem noted
earlier is sorted out.

> In this case what particularly scares me is the idea that 'samenet'
> might be interpreted to let in a larger subnet than the user expected,
> eg 10/8 instead of 10.0.0/24.  You'd likely not notice the problem until
> after you'd been broken into ...

As Mark noted in another email, ones networking wouldn't work at all
with such a misconfiguration.

But if you like I can add additional defensive checks in the code to
ignore those obviously invalid netmasks like /0. Basically the OS would
be giving postgres bad information. Does postgres generally try to guard
against this? I'll follow the convention of the project.

Cheers,

Stef


In response to

Responses

pgsql-hackers by date

Next:From: David E. WheelerDate: 2009-09-24 00:16:07
Subject: Re: latest hstore patch
Previous:From: Stef WalterDate: 2009-09-23 23:06:18
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group