From: | Alex Pilosov <alex(at)pilosoft(dot)com> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Philip Warner <pjw(at)rhyme(dot)com(dot)au>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Peer credentials (was Security choices...) |
Date: | 2000-08-05 03:50:20 |
Message-ID: | Pine.BSO.4.10.10008042335280.4362-100000@spider.pilosoft.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, 4 Aug 2000, Bruce Momjian wrote:
> > At 18:34 4/08/00 -0400, Bruce Momjian wrote:
> > >[ Charset ISO-8859-1 unsupported, converting... ]
> > >> Philip Warner writes:
> > >>
> > >> > Is there any reason that a security model does not exist for psql that
> > >> > allows Unix user 'fred' to log in as PG user 'fred' with no password etc,
> > >> > but any user trying to log on as someone other than themselves has to
> > >> > provide a password?
> > >>
> > >> Short of someone sitting down and making it happen I don't see any. You'd
> > >> only need to implement some sort of fall-through in `pg_hba.conf', which
> > >> in my estimate can't be exceedingly hard.
> > >
> > >How do you know Fred is Fred without a password?
> > >
> >
> > The idea was to apply only on the matchine on which the postmaster runs;
> > then ideally you get the username of the client process. It's kind of like
> > IDENT, except it works only for local connections, and asks for passwords
> > for non-local connections.
>
> I am not aware of any way to determine the PID at the other end of a
> unix domain socket.
You actually don't need the PID on the other end, what you are interested
are the credentials of a process on the other end.
Unfortunately, every OS implemented it in very different way. Linux has
SO_PEERCREDS option, solaris has doors, xBSD have SCM_CREDS or LOCAL_CREDS
see:
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Secure-Programs-HOWTO
http://www.whitefang.com/sup/work.html
http://cr.yp.to/docs/secureipc.html
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas Lockhart | 2000-08-05 04:05:20 | Quoting fun |
Previous Message | Bruce Momjian | 2000-08-05 03:13:23 | Re: Security choices... |