Re: Is "trust" really a good default? - Mailing list pgsql-hackers

On Tue, 2004-07-13 at 22:27, Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > I think --ident would be very helpful, and we know with OS's support
> > ident too.
>
> If we're going to be doing sed-like substitutions on pg_hba.conf.sample,
> then we really really wanna discourage distros from hacking the sample
> file directly, because that could break the sed results.  So I think
> it's important to provide the switch.

Speaking for Debian, I should like to explain how pg_hba.conf is managed
(at least at present and probably in the next stable release).

The basic assumption is that a system-installed package is of universal
applicability, so there is only one (official) database cluster.  The
configuration files in that cluster are actually symlinks to
/etc/postgresql/*.  The Debian packaged version of initdb is hacked to
write those symlinks rather than copy the sample files.  (An extra
command option --debian-conffile does this, and is used by the
installation script.)

(A local user running initdb in his own space would get the upstream
behaviour, but this is not the normal case for package installations.)

The reasons for the changes are found in Debian policy:

1. All configuration files [conffiles] must be in /etc .
[motivation: administrators should be able to find configuration files
quickly, without having to research each package separately.]

2. No conffile may be changed by a package upgrade without the
administrator's consent.  A package (such as postgresql) cannot simply
overwrite a conffile such as pg_hba.conf with a new version.  Its new
version is written in parallel (/etc/postgresql/pg_hba.conf.dpkg-new)
and only overwrites the old one if the administrator consents.
[motivation: system administrators should not be surprised by having
their systems redefined without their consent.]


The default pg_hba.conf installed by a new package installation is
configured thus:

 local   all  postgres                              ident sameuser
 local   all  all                                   ident sameuser
 host    all  all      127.0.0.1  255.255.255.255   ident sameuser
 host    all  all      ::1        ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ident sameuser
 host    all  all      ::ffff:127.0.0.1/128         ident sameuser
 host    all  all      0.0.0.0    0.0.0.0           reject

that is, to accept local connections authenticated by ident and reject
the rest.  The adminstrator is advised not to change the first line, so
as to allow cron jobs to run.
[motivation: to install the package with a sufficient level of security
that it will not open the machine to remote exploits and to ensure that
local users cannot spoof their identity to the database or change other
people's data without permission.  We trust the local ident server,
since it is installed by the same administrator that is installing
postgresql.]


The point of this explanation is that as Debian maintainer I would have
to disable any procedures that attempt to edit these conffiles, or at
least ensure that their operation is under package control and produce
only the effects that I desire.  When initdb is rerun during major
upgrades, it must then leave the previous configuration unchanged.
Ensuring this is part of ensuring a smooth upgrade path, which is a
major part of the package maintainer's job.

--
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                 ========================================
     "Let your character be free from the love of money,
      being content with what you have; for He Himself has
      said, "I will never desert you, nor will I ever
      forsake you."
                              Hebrews 13:5