| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | stef(at)memberwebs(dot)com |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Date: | 2009-09-23 21:19:25 |
| Message-ID: | 7876.1253740765@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stef Walter <stef-list(at)memberwebs(dot)com> writes:
> Allowing host names in pg_hba.conf would also solve this problem,
> although the last person who tried to implement this it was a topic of
> contention. I asked if I should focus on reverse DNS host names in
> pg_hba.conf or portability for this samenet patch, and it was indicated
> that I should do the latter.
Agreed, a DNS-based solution would be a huge pain in the rear to do
correctly. However, I think what Robert wanted to know was just how
portable you believe this solution is. If it doesn't work, and work
pretty much the same, on all our supported platforms then I'm afraid
we can't use it. There's nothing worse than a security-critical
feature that works differently than you expect it to.
In this case what particularly scares me is the idea that 'samenet'
might be interpreted to let in a larger subnet than the user expected,
eg 10/8 instead of 10.0.0/24. You'd likely not notice the problem until
after you'd been broken into ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Mielke | 2009-09-23 21:36:06 | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Previous Message | Robert Haas | 2009-09-23 21:12:05 | Re: pg_hba.conf: samehost and samenet [REVIEW] |