Re: [GENERAL] Re: Debian's PostgreSQL packages - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: [GENERAL] Re: Debian's PostgreSQL packages
Date
Msg-id 200109050448.f854mZ201972@candle.pha.pa.us
Whole thread Raw
List pgsql-hackers
Funny, I found this going through my mailbox.  Seems I was going to
return to this SO_PEERCRED anyway.

> Bruce Momjian wrote:
>   >> > I think our current idea is to have people run local ident servers to
>   >> > handle this.  We don't have any OS-specific stuff in pg_hba.conf and I
>   >> > am not sure if we want to add that complexity.  What do others think?
>   >> 
>   >> This is not any less "specific" than SSL or Kerberos.  Note that opening a
>   >> TCP/IP socket already opens a theoretical hole to the world.  Unix domain
>   >> is much safer.
>   >
>   >You can install SSL/Kerberos on any Unix, and many come pre-installed. 
>   >You can't add unix-domain socket user authentication to any OS.
>   >
>   >I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
>   >a hole:
>   >
>   >127                       127.0.0.1                UGRS    4352 lo0
>   >127.0.0.1                 127.0.0.1                UH      4352 lo0
>   >
>   >However, the security issue may make it worthwhile.  Which OS's support
>   >user authentication again, and can we test via configure?  Maybe we can
>   >strip out the mention in the pg_hba.conf file if it is not supported on
>   >that OS.
>  
> The security issue is why I developed it.  There were complaints from people 
> who did not want to have identd running at all.
> 
> I think the feature is available in Linux, Solaris and some BSD.  It can be
> tested for by whether SO_PEERCRED is defined in sys/socket.h.
> 
> I don't see the need to strip mention from the comments in pg_hba.conf.  The
> situation is no different from those systems which do not have Kerberos or
> SSL available.
> 
> -- 
> Oliver Elphick                                Oliver.Elphick@lfix.co.uk
> Isle of Wight                              http://www.lfix.co.uk/oliver
> PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
> GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
>                  ========================================
>      "I waited patiently for the LORD; and he inclined unto 
>       me, and heard my cry. He brought me up also out of an 
>       horrible pit, out of the miry clay, and set my feet 
>       upon a rock, and established my goings. And he hath 
>       put a new song in my mouth, even praise unto our God.
>       Many shall see it, and fear, and shall trust in the 
>       LORD."                 Psalms 40:1-3 
> 
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
> http://www.postgresql.org/users-lounge/docs/faq.html
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Is there a problem running vacuum in the middle of a transaction?
Next
From: Thomas Lockhart
Date:
Subject: Re: timestamp with/without time zone