| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | stef(at)memberwebs(dot)com |
| Cc: | Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Date: | 2009-09-23 17:07:46 |
| Message-ID: | 9837222c0909231007y503418e9n88a933d007f4f2fe@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Sep 23, 2009 at 18:41, Stef Walter <stef-list(at)memberwebs(dot)com> wrote:
> Magnus Hagander wrote:
>> On Mon, Sep 21, 2009 at 20:12, Stef Walter <stef-list(at)memberwebs(dot)com> wrote:
>>
>>
>> <snip>
>>> Updated in attached patch.
>>
>> This patch does not build on Windows, the error is:
>> ip.obj : error LNK2019: unresolved external symbol __imp__WSAIoctl(at)36 referenced
>> in function _pg_foreach_ifaddr
>> ip.obj : error LNK2019: unresolved external symbol __imp__WSASocketA(at)24 referenc
>> ed in function _pg_foreach_ifaddr
>> .\Release\libpq\libpq.dll : fatal error LNK1120: 2 unresolved externals
>>
>>
>> I don't have time to investigate this further right now, so if
>> somebody else want to dig into why that is happening that would be
>> helpful :)
>
> My windows VM is giving me problems, but I'll try look into it unless
> someone else beats me to do it.
If you want a VM that works, look at:
http://blog.hagander.net/archives/151-Testing-PostgreSQL-patches-on-Windows-using-Amazon-EC2.html
If it's just the VM... :-)
>> Also, one thought - with samenet we currently from what I can tell
>> enumerate all interfaces. Not just those we bind to based on
>> listen_addresses. Is that intentional, or should we restrict us to
>> subnets reachable through the interfaces we're actually listening on?
>
> This would change the scope of the patch significantly. It seems that
> adding that limitation is unnecessary. In my opinion, if stricter hba
> security is required, and limiting to specific subnets are desired,
> those subnets should be entered directly into the pg_hba.conf file.
>
> Currently people are adding 0.0.0.0 to a default pg_hba.conf file in
> order to allow access from nearby machines, without running into the
> maintenance problems of hard coding IP addresses. However using 0.0.0.0
> is clearly suboptimal from a security perspective.
>
> I've seen the samenet feature as a way to avoid the use of 0.0.0.0 in
> these cases.
>
> Obviously people who would like stricter postgres security can configure
> subnets manually, and would probably not be comfortable with 'automatic'
> decisions being made about the subnets allowed.
Agreed. In that case, I think we just need to make that clearer in the
docs, so people don't make the mistake of thinking it means somehting
other than what it does.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-09-23 17:47:47 | Re: operator exclusion constraints [was: generalized index constraints] |
| Previous Message | Stef Walter | 2009-09-23 16:41:09 | Re: pg_hba.conf: samehost and samenet [REVIEW] |