| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Unfriendly handling of pg_hba SSL options with SSL off |
| Date: | 2011-04-25 17:18:38 |
| Message-ID: | 16545.1303751918@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Mon, Apr 25, 2011 at 18:59, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> It's not clear to me what behavior you are proposing. Would we
>> disregard the hostssl line or treat it as an error?
> It would absolutely have to be treat it as an error. another option
> would be to throw a more specific warning at that place, and keep the
> rest of the code the same.
> We can't *ignore* hostssl rows in ssl=off mode, that would be an easy
> way for an admin to set up a system they thought was secure but
> isn't...
No, I don't see that it's a security hole. What would happen if the
line is ignored is you couldn't make connections with it. I think you
are positing that it'd be a potential security problem if a connection
attempt fell through that line and then succeeded with some later line
that had less-desirable properties --- but if your pg_hba.conf contents
are like that, you already have issues, because a non-SSL-enabled client
is going to reach that later line anyway.
Nonetheless, it's extremely confusing to the admin to ignore such a
line, and that's not a good thing in any security-sensitive context.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2011-04-25 17:19:52 | Re: Unfriendly handling of pg_hba SSL options with SSL off |
| Previous Message | Andrew Dunstan | 2011-04-25 17:16:49 | Re: branching for 9.2devel |