Skip site navigation (1) Skip section navigation (2)

Re: pg_hba.conf: samehost and samenet [REVIEW]

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: stef(at)memberwebs(dot)com
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Date: 2009-09-23 21:19:25
Message-ID: 7876.1253740765@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Stef Walter <stef-list(at)memberwebs(dot)com> writes:
> Allowing host names in pg_hba.conf would also solve this problem,
> although the last person who tried to implement this it was a topic of
> contention. I asked if I should focus on reverse DNS host names in
> pg_hba.conf or portability for this samenet patch, and it was indicated
> that I should do the latter.

Agreed, a DNS-based solution would be a huge pain in the rear to do
correctly.  However, I think what Robert wanted to know was just how
portable you believe this solution is.  If it doesn't work, and work
pretty much the same, on all our supported platforms then I'm afraid
we can't use it.  There's nothing worse than a security-critical
feature that works differently than you expect it to.

In this case what particularly scares me is the idea that 'samenet'
might be interpreted to let in a larger subnet than the user expected,
eg 10/8 instead of 10.0.0/24.  You'd likely not notice the problem until
after you'd been broken into ...

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Mark MielkeDate: 2009-09-23 21:36:06
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Previous:From: Robert HaasDate: 2009-09-23 21:12:05
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group