| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Checking pg_hba.conf in the child process |
| Date: | 2012-02-24 22:19:10 |
| Message-ID: | 20120224221910.GA22341@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
In looking over our authentication code, I noticed that we create the
child process before we check any of the pg_hba.conf file. Now, I
realize we can't do authentication in the postmaster because of possible
delay, and checking the user name and database name filters is just work
that is better done in the child, but checking the IP address might
prevent unauthorized clients from causing excessive process creation on
the server. I know we have listen_addresses, but that defaults to "*"
on the click-through installers, and not everybody knows how to set up a
firewall.
Anyway, I just wanted to mention it in case there was something to be
done here.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2012-02-24 22:27:06 | Re: Checking pg_hba.conf in the child process |
| Previous Message | Dimitri Fontaine | 2012-02-24 22:09:41 | Re: Finer Extension dependencies |