Re: Thoughts on pg_hba.conf rejection - Mailing list pgsql-hackers

From Simon Riggs
Subject Re: Thoughts on pg_hba.conf rejection
Date
Msg-id 1271704250.8305.19916.camel@ebony
Whole thread Raw
In response to Re: Thoughts on pg_hba.conf rejection  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Thoughts on pg_hba.conf rejection
List pgsql-hackers
On Thu, 2010-04-15 at 09:44 -0400, Tom Lane wrote:
> Maybe uaImplicitReject for the end-of-file case would be
> the most readable way.

uaImplicitReject capability added.

We're now free to bikeshed on exact wording. After much heavy thinking,
message is "pg_hba.conf rejects..." with no hint (yet?).

Point of note on giving information to the bad guys: if a
should-be-rejected connection request attempts to connect to a
non-existent database, we say "database does not exist". If db does
exist we say "pg_hba.conf rejects...". To me that looks like giving info
away... if an IP address range is rejected always then telling them
whether or not a particular database name exists seems like something I
would not wish to expose.

-- Simon Riggs           www.2ndQuadrant.com



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Standalone backends run StartupXLOG in an incorrect environment
Next
From: Simon Riggs
Date:
Subject: Re: Standalone backends run StartupXLOG in an incorrect environment