Peter Eisentraut <peter_e@gmx.net> writes:
> If we did this the straightforward way (exchange authentication packets
> after fork()) then rogue clients could connect, start a backend, twiddle
> thumbs, never finish the authentication exchange, meanwhile having filled
> up the limit on the number of connections.
True, but don't fool yourself that a similar DOS attack is not possible
now. The resource limit that an attacker can hit now is the maximum
number of open file descriptors for the single postmaster process, which
may be quite a lot lower than the maximum number of process table
entries, depending on how your system is configured.
Also note that we could easily fix things so that the max-number-of-
backends limit is not checked until we have passed the authentication
procedure. A PM child that's still busy authenticating doesn't have
to count.
> ISTM that there is some merit in having authentication happen *before*
> doing much else, especially allocating per-connection resources.
Sure, which is why the postmaster is written the way it is. But you
have to be willing to code the postmaster in a way that prevents it from
blocking on behalf of one client. We don't have that now for IDENT,
we are about to not have it for PAM, and I don't see a lot of enthusiasm
out there for adhering to those coding rules with the rigidity needed to
realize the theoretical benefit.
Another problem with the present setup is total cost of servicing each
connection request. We've seen several complaints about connection-
refused problems under heavy load, occurring because the single
postmaster process simply can't service the requests quickly enough to
keep its accept() queue from overflowing.
Forking the postmaster (without an exec) is a relatively cheap
operation, since the PM has only a small amount of writable data and
very few open files. I believe forking before authenticating would
improve the accept-queue-overflow problem by reducing the amount of
work done before the PM can accept() another connection request.
Moreover, if we went over to fork-before-authenticate, we could rip out
all the poor man's multitasking code that's in the postmaster. That
would make the PM simpler, more understandable, and ultimately more
reliable.
So on the whole I think changing would be a win.
regards, tom lane
