Quick Links

Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local]

From:	Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>
To:	Albert Schabhuetl <albert_schabhuetl(at)yahoo(dot)de>
Cc:	PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Subject:	Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local]
Date:	2018-11-25 22:30:06
Message-ID:	CAEepm=3N2sA8NKxTTobOLYwZjO=z2n_pQ0P5Fra3Znb5W190cA@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

On Mon, Nov 26, 2018 at 9:10 AM Albert Schabhuetl
<albert_schabhuetl(at)yahoo(dot)de> wrote:
> NULL vs hostname for PAM_RHOST:
>
> My understanding is that the purpose of the PAM configuration parameter pam_use_hostname is to avoid the adverse effects of DNS queries if set to 0. Thus if pam_use_hostname is 0, PAM_RHOST shall be NULL for domain socket connections, just like it is the case for TCP connections.

It doesn't set it to NULL for TCP connections. It tells PostgreSQL
not to bother resolving the name to an address. We can't do much
about it if your PAM implementation decides to resolve it anyway. I
suppose we could have an option not to set it at all, even for TCP.
But the main thing that I think we need to change here to address your
complaint is the Unix socket case, because we're passing a
non-hostname in a context that expects a hostname, which is silly and
generates entirely bogus DNS lookups.

Here's a test:

In pg_hba.conf I put these lines:
local all all pam
pamservice="foo"
host all all 127.0.0.1/32 pam
pamservice="foo"

In /etc/pam.d/foo I put these lines:
auth optional pam_exec.so /tmp/spy_script.sh
auth required pam_permit.so

In /tmp/spy_script.sh I put these lines, and made it executable:
#!/bin/bash
echo "PAM_USER=$PAM_USER, PAM_RHOST=$PAM_RHOST" > /tmp/spy_script.out

$ psql -h localhost postgres munro
-> PAM_USER=munro, PAM_RHOST=127.0.0.1
$ psql postgres munro
-> PAM_USER=munro, PAM_RHOST=[local]

Now in pg_hba.conf I add pam_use_hostname=1 to the end of both lines...

$ psql -h localhost postgres munro
-> PAM_USER=munro, PAM_RHOST=localhost
$ psql postgres munro
-> PAM_USER=munro, PAM_RHOST=[local]

> >I wonder if anyone out there has come to rely on the value "[local]"
>
> I vote for changing it, and documenting it in the release notes.

Yeah. Here is a draft patch to change that. Test output:

$ psql -h localhost postgres munro
PAM_USER=munro, PAM_RHOST=localhost
$ psql postgres munro
PAM_USER=munro, PAM_RHOST=

--
Thomas Munro
http://www.enterprisedb.com

Attachment	Content-Type	Size
0001-Don-t-set-PAM_RHOST-for-Unix-sockets.patch	application/octet-stream	1.6 KB

In response to

Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local] at 2018-11-25 20:09:42 from Albert Schabhuetl

Responses

Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local] at 2018-11-26 14:02:12 from Peter Eisentraut

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Feike Steenbergen	2018-11-26 09:12:36	Re: New sessions on a database to be dropped consume 100% cpu
Previous Message	Albert Schabhuetl	2018-11-25 20:09:42	Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local]