On Thu, 2003-10-16 at 12:54, Josh Berkus wrote:
> While one could write a utility in Postgres to create/process the file, the
> "live" version of pg_hba.conf *must* be outside the database. If our ACL
> was in the database, then how would we know who has the rights to read the
> ACL?
I don't see why this is a show-stopping problem. Can you elaborate?
> Systems which store their ACLs in the database (MSSQL) are continuously
> vulnerable to attacks that piggy-back on the authentication process to gain
> entry to the database, e.g. the "Slammer" worm.
How does storing ACLs in the database have anything to do with Slammer,
which exploited some buffer overruns in the UDP authentication service
used by SQL server?
> Also, users would risk a permanent fatal lockout if they mis-configure pg_hba.
There are plenty of ways to get around that, however (e.g. a
command-line tool that effectively started a standalone backend and
allowed the DBA to bypass the ACL system).
-Neil
