From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Checking pg_hba.conf in the child process |
Date: | 2012-02-24 22:27:06 |
Message-ID: | 1330122335-sup-2018@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Excerpts from Bruce Momjian's message of vie feb 24 19:19:10 -0300 2012:
> In looking over our authentication code, I noticed that we create the
> child process before we check any of the pg_hba.conf file. Now, I
> realize we can't do authentication in the postmaster because of possible
> delay, and checking the user name and database name filters is just work
> that is better done in the child, but checking the IP address might
> prevent unauthorized clients from causing excessive process creation on
> the server. I know we have listen_addresses, but that defaults to "*"
> on the click-through installers, and not everybody knows how to set up a
> firewall.
Hm, one thing to keep in mind is that we allow hostnames there. It'd be
a pain to have postmaster hang while resolving names.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2012-02-24 22:31:47 | Re: pgsql_fdw, FDW for PostgreSQL server |
Previous Message | Bruce Momjian | 2012-02-24 22:19:10 | Checking pg_hba.conf in the child process |