On Sat, Feb 25, 2012 at 00:45, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Alvaro Herrera <alvherre@commandprompt.com> writes:
>> Excerpts from Bruce Momjian's message of vie feb 24 19:19:10 -0300 2012:
>>> In looking over our authentication code, I noticed that we create the
>>> child process before we check any of the pg_hba.conf file. Now, I
>>> realize we can't do authentication in the postmaster because of possible
>>> delay, and checking the user name and database name filters is just work
>>> that is better done in the child, but checking the IP address might
>>> prevent unauthorized clients from causing excessive process creation on
>>> the server. I know we have listen_addresses, but that defaults to "*"
>>> on the click-through installers, and not everybody knows how to set up a
>>> firewall.
>
>> Hm, one thing to keep in mind is that we allow hostnames there. It'd be
>> a pain to have postmaster hang while resolving names.
>
> Yes. This cure would be a lot worse than the disease. Bruce ought to
> remember that we intentionally moved all that logic *out* of the
> postmaster process, years ago, precisely because it was too hard to
> ensure that the postmaster wouldn't block and thus create DOS conditions
> of another sort.
As long as the block would only look at the IP it would also be
trivial - and more efficient - to do the same blocking in the
firewall, either local host firewall rules or the network firewall
depending on deployment...
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
