Skip site navigation (1) Skip section navigation (2)

Re: BUG #4433: entries like "host all all 10.0.50.31/0 ..." should not be allowed or trigger a warning

From: toruvinn <toruvinn(at)lain(dot)pl>
To: "security improvement proposal: pg_hba(dot)conf and CIDR mask" <marc(at)intershop(dot)de>
Subject: Re: BUG #4433: entries like "host all all 10.0.50.31/0 ..." should not be allowed or trigger a warning
Date: 2008-09-23 22:51:01
Message-ID: op.uhyhrbm833x80h@insanity.lain.pl (view raw or flat)
Thread:
Lists: pgsql-bugs
On Tue, 23 Sep 2008 11:44:24 +0200, security  improvement proposal:
pg_hba.conf and CIDR mask <marc(at)intershop(dot)de> wrote:
> Description:        entries like "host    all       all   10.0.50.31/0   
> ..."
> should not be allowed or trigger a warning


> A CIDR mask length of 0 will allow to connect from any location.
Hm, it will allow to match any location, what it does with that later
depends on your settings. Putting "reject" as the method will, well,
reject them.
Also, I use "host dbname username 0.0.0.0/0 md5" in quite a few places,
and I believe I know what I'm doing. ;-)

> Checking the mask against the IP address would prevent such errors:
> /0 : disallow ?
Sorry, I can't agree here. I need that!

Kind of offtopic:
> /24 : IP must ends with .0
> /16 : IP must ends with .0.0
> ...
Precisely, /24 is A.B.C.*, /16 is A.B.*.*, /8 is A.*.*.*. It's not just .0
or .0.0, it's "anything".

HTH too. ;-)

-- 
ru

In response to

pgsql-bugs by date

Next:From: Tom LaneDate: 2008-09-24 01:56:46
Subject: Re: [HACKERS] 0x1A in control file on Windows
Previous:From: Bruce MomjianDate: 2008-09-23 21:24:31
Subject: Re: [HACKERS] 0x1A in control file on Windows

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group