From: | Jacob Champion <jchampion(at)timescale(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, "Drouvot, Bertrand" <bdrouvot(at)amazon(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf |
Date: | 2022-09-20 17:15:14 |
Message-ID: | CAAWbhmgm-HJn0v13vZHEJLUTgt0QvZWTFnQiGT0YxPEYCB_ivg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Sep 19, 2022 at 9:09 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> You have to assume that somebody (a) has a role or DB name starting
> with slash, (b) has an explicit reference to that name in their
> pg_hba.conf, (c) doesn't read the release notes, and (d) doesn't
> notice that things are misbehaving until after some hacker manages
> to break into their installation on the strength of the misbehaving
> entry. OK, I'll grant that the probability of (c) is depressingly
> close to unity; but each of the other steps seems quite low probability.
> All four of them happening in one installation is something I doubt
> will happen.
I can't argue with (a) or (b), but (d) seems decently likely to me. If
your normal user base consists of people who are authorized to access
your system, what clues would you have that your HBA is silently
failing open?
--Jacob
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2022-09-20 17:28:35 | Re: A question about wording in messages |
Previous Message | Robert Haas | 2022-09-20 17:14:46 | Re: making relfilenodes 56 bits |