Thread: BUG #4330: Bonjour connections ignore hba config METHOD and always trusted

The following bug has been logged online:

Bug reference:      4330
Logged by:          William Kyngesburye
Email address:      kyngchaos@kyngchaos.com
PostgreSQL version: 8.3.1
Operating system:   Mac OS X 10.4.11
Description:        Bonjour connections ignore hba config METHOD and always
trusted
Details:

I have a role configured for local IP connection with md5 authentication.
When using the postgres server IP or DNS name from a local network
connection, if correctly prompts for the role's password.

When connection with the Bonjour name of the postgres server, it ignores the
md5 setting and always trusts the connection.  I tried with other auth
methods with the same effect.

This is bad.

"William Kyngesburye" <kyngchaos@kyngchaos.com> writes:
> When connection with the Bonjour name of the postgres server, it ignores the
> md5 setting and always trusts the connection.  I tried with other auth
> methods with the same effect.

What exactly have you got in pg_hba.conf?

AFAIK there is no such thing as a "Bonjour connection"; Bonjour just
provides a means for the server to advertise its IP address.  I
speculate that what it's advertising is a port that you have configured
to be trusted.

            regards, tom lane

On Jul 28, 2008, at 3:35 PM, Tom Lane wrote:

> "William Kyngesburye" <kyngchaos@kyngchaos.com> writes:
>> When connection with the Bonjour name of the postgres server, it
>> ignores the
>> md5 setting and always trusts the connection.  I tried with other
>> auth
>> methods with the same effect.
>
> What exactly have you got in pg_hba.conf?
>
> AFAIK there is no such thing as a "Bonjour connection"; Bonjour just
> provides a means for the server to advertise its IP address.  I
> speculate that what it's advertising is a port that you have
> configured
> to be trusted.
>
>             regards, tom lane


The default:

# "local" is for Unix domain socket connections only
local   all         all                               trust
# IPv4 local connections:
host    all         all         127.0.0.1/32          trust
# IPv6 local connections:
host    all         all         ::1/128               trust

and:

host  all  somerole  192.168.1.0/24  md5


the local unix and local tcp lines aren't catching the connection - if
I remove my added connection, all external connections fail, as
expected.  And I tried reording it so my addition is first, but a
bonjour connection is still trusted.

I realize that bonjour just supplies IP info to the client.  I too
find it strange that the server would see the connection differently.

-----
William Kyngesburye <kyngchaos*at*kyngchaos*dot*com>
http://www.kyngchaos.com/

"Time is an illusion - lunchtime doubly so."

- Ford Prefect

William Kyngesburye <kyngchaos@kyngchaos.com> writes:
>> What exactly have you got in pg_hba.conf?

> The default:

> # "local" is for Unix domain socket connections only
> local   all         all                               trust
> # IPv4 local connections:
> host    all         all         127.0.0.1/32          trust
> # IPv6 local connections:
> host    all         all         ::1/128               trust

> and:

> host  all  somerole  192.168.1.0/24  md5

Well, there's an awful lot of "trust" laying about there.  I'd suggest
enabling log_connections so you can see what address the connections
are actually coming in on.

            regards, tom lane