Skip site navigation (1) Skip section navigation (2)

Peer credentials (was Security choices...)

From: Alex Pilosov <alex(at)pilosoft(dot)com>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Philip Warner <pjw(at)rhyme(dot)com(dot)au>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org>
Subject: Peer credentials (was Security choices...)
Date: 2000-08-05 03:50:20
Message-ID: Pine.BSO.4.10.10008042335280.4362-100000@spider.pilosoft.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Fri, 4 Aug 2000, Bruce Momjian wrote:

> > At 18:34 4/08/00 -0400, Bruce Momjian wrote:
> > >[ Charset ISO-8859-1 unsupported, converting... ]
> > >> Philip Warner writes:
> > >> 
> > >> > Is there any reason that a security model does not exist for psql that
> > >> > allows Unix user 'fred' to log in as PG user 'fred' with no password etc,
> > >> > but any user trying to log on as someone other than themselves has to
> > >> > provide a password?
> > >> 
> > >> Short of someone sitting down and making it happen I don't see any. You'd
> > >> only need to implement some sort of fall-through in `pg_hba.conf', which
> > >> in my estimate can't be exceedingly hard.
> > >
> > >How do you know Fred is Fred without a password?
> > >
> > 
> > The idea was to apply only on the matchine on which the postmaster runs;
> > then ideally you get the username of the client process. It's kind of like
> > IDENT, except it works only for local connections, and asks for passwords
> > for non-local connections.
> 
> I am not aware of any way to determine the PID at the other end of a
> unix domain socket.

You actually don't need the PID on the other end, what you are interested
are the credentials of a process on the other end. 

Unfortunately, every OS implemented it in very different way. Linux has
SO_PEERCREDS option, solaris has doors, xBSD have SCM_CREDS or LOCAL_CREDS

see:

http://metalab.unc.edu/pub/Linux/docs/HOWTO/Secure-Programs-HOWTO
http://www.whitefang.com/sup/work.html
http://cr.yp.to/docs/secureipc.html


In response to

pgsql-hackers by date

Next:From: Thomas LockhartDate: 2000-08-05 04:05:20
Subject: Quoting fun
Previous:From: Bruce MomjianDate: 2000-08-05 03:13:23
Subject: Re: Security choices...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group