Postgres Pro
Downloads
Home   >   mailing lists

Re: pg_hba.conf: samehost and samenet [REVIEW] - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: pg_hba.conf: samehost and samenet [REVIEW]
Date
Msg-id 9837222c0909231007y503418e9n88a933d007f4f2fe@mail.gmail.com
Whole thread Raw
In response to Re: pg_hba.conf: samehost and samenet [REVIEW]  (Stef Walter <stef-list@memberwebs.com>)
List pgsql-hackers
Tree view 
On Wed, Sep 23, 2009 at 18:41, Stef Walter <stef-list@memberwebs.com> wrote:
> Magnus Hagander wrote:
>> On Mon, Sep 21, 2009 at 20:12, Stef Walter <stef-list@memberwebs.com> wrote:
>>
>>
>> <snip>
>>> Updated in attached patch.
>>
>> This patch does not build on Windows, the error is:
>> ip.obj : error LNK2019: unresolved external symbol __imp__WSAIoctl@36 referenced
>>  in function _pg_foreach_ifaddr
>> ip.obj : error LNK2019: unresolved external symbol __imp__WSASocketA@24 referenc
>> ed in function _pg_foreach_ifaddr
>> .\Release\libpq\libpq.dll : fatal error LNK1120: 2 unresolved externals
>>
>>
>> I don't have time to investigate this further right now, so if
>> somebody else want to dig into why that is happening that would be
>> helpful :)
>
> My windows VM is giving me problems, but I'll try look into it unless
> someone else beats me to do it.

If you want a VM that works, look at:
http://blog.hagander.net/archives/151-Testing-PostgreSQL-patches-on-Windows-using-Amazon-EC2.html

If it's just the VM... :-)

>> Also, one thought - with samenet we currently from what I can tell
>> enumerate all interfaces. Not just those we bind to based on
>> listen_addresses. Is that intentional, or should we restrict us to
>> subnets reachable through the interfaces we're actually listening on?
>
> This would change the scope of the patch significantly. It seems that
> adding that limitation is unnecessary. In my opinion, if stricter hba
> security is required, and limiting to specific subnets are desired,
> those subnets should be entered directly into the pg_hba.conf file.
>
> Currently people are adding 0.0.0.0 to a default pg_hba.conf file in
> order to allow access from nearby machines, without running into the
> maintenance problems of hard coding IP addresses. However using 0.0.0.0
> is clearly suboptimal from a security perspective.
>
> I've seen the samenet feature as a way to avoid the use of 0.0.0.0 in
> these cases.
>
> Obviously people who would like stricter postgres security can configure
> subnets manually, and would probably not be comfortable with 'automatic'
> decisions being made about the subnets allowed.

Agreed. In that case, I think we just need to make that clearer in the
docs, so people don't make the mistake of thinking it means somehting
other than what it does.


-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/

pgsql-hackers by date:

Previous
From: Stef Walter
Date:
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Next
From: Tom Lane
Date:
Subject: Re: operator exclusion constraints [was: generalized index constraints]