Thread: BUG #4433: entries like "host all all 10.0.50.31/0 ..." should not be allowed or trigger a warning

BUG #4433: entries like "host all all 10.0.50.31/0 ..." should not be allowed or trigger a warning

From
"security improvement proposal: pg_hba.conf and CIDR mask"
Date:
The following bug has been logged online:

Bug reference:      4433
Logged by:          security  improvement proposal: pg_hba.conf and CIDR
mask
Email address:      marc@intershop.de
PostgreSQL version: 8.2.4
Operating system:   Linux
Description:        entries like "host    all       all   10.0.50.31/0  ..."
should not be allowed or trigger a warning
Details:

Hello,

not really a bug, but a possible security issue for wrongly configured
installations.

A CIDR mask length of 0 will allow to connect from any location. I did this
mistake as I didn't read the documentation carefully enough.

Checking the mask against the IP address would prevent such errors:

/0 : disallow ?

/24 : IP must ends with .0
/16 : IP must ends with .0.0
...

HTH,

Marc Mamin
security improvement proposal: pg_hba.conf and CIDR mask wrote:
> The following bug has been logged online:
>
> Bug reference:      4433
> Logged by:          security  improvement proposal: pg_hba.conf and CIDR
> mask
> Email address:      marc@intershop.de
> PostgreSQL version: 8.2.4
> Operating system:   Linux
> Description:        entries like "host    all       all   10.0.50.31/0  ..."
> should not be allowed or trigger a warning
> Details:
>
> Hello,
>
> not really a bug, but a possible security issue for wrongly configured
> installations.
>
> A CIDR mask length of 0 will allow to connect from any location. I did this
> mistake as I didn't read the documentation carefully enough.
>
> Checking the mask against the IP address would prevent such errors:
>
> /0 : disallow ?

0.0.0.0/0 should continue to be accepted.

> /24 : IP must ends with .0
> /16 : IP must ends with .0.0

If you're going to do that, you might as well enforce it for any CIDR
subnet and say that the address given must be the network address, not a
host address within the network. That way it works for non-multiple-of-8
CIDR subnets too.

--
Craig Ringer
On Tue, 23 Sep 2008 11:44:24 +0200, security  improvement proposal:
pg_hba.conf and CIDR mask <marc@intershop.de> wrote:
> Description:        entries like "host    all       all   10.0.50.31/0
> ..."
> should not be allowed or trigger a warning


> A CIDR mask length of 0 will allow to connect from any location.
Hm, it will allow to match any location, what it does with that later
depends on your settings. Putting "reject" as the method will, well,
reject them.
Also, I use "host dbname username 0.0.0.0/0 md5" in quite a few places,
and I believe I know what I'm doing. ;-)

> Checking the mask against the IP address would prevent such errors:
> /0 : disallow ?
Sorry, I can't agree here. I need that!

Kind of offtopic:
> /24 : IP must ends with .0
> /16 : IP must ends with .0.0
> ...
Precisely, /24 is A.B.C.*, /16 is A.B.*.*, /8 is A.*.*.*. It's not just .0
or .0.0, it's "anything".

HTH too. ;-)

--
ru