Thread: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

From

hv@tbz-pariv.de

Date:

08 August 2013, 11:24:38

The following bug has been logged on the website:

Bug reference:      8375
Logged by:          Thomas GÃ¼ttler
Email address:      hv@tbz-pariv.de
PostgreSQL version: 9.2.4
Operating system:   Linux
Description:

For easier deployment it would be nice to have an include_dir directive in
pg_hba.conf.


Related:
http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2a0c81a12c7e6c5ac1557b0f1f4a581f23fd4ca7

Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

From

Tom Lane

Date:

08 August 2013, 15:39:31

hv@tbz-pariv.de writes:
> For easier deployment it would be nice to have an include_dir directive in
> pg_hba.conf.

This doesn't seem like a remarkably good idea from here, mainly because
entries in pg_hba.conf are critically order-dependent.  Dropping random
entries into a conf.d-like directory could produce unexpected results
--- and in this case, "unexpected result" probably means "security
failure".

            regards, tom lane

Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

From

Terje Elde

Date:

08 August 2013, 18:58:14

On 8. aug. 2013, at 14:39, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> This doesn't seem like a remarkably good idea from here, mainly because
> entries in pg_hba.conf are critically order-dependent.  Dropping random
> entries into a conf.d-like directory could produce unexpected results
> --- and in this case, "unexpected result" probably means "security
> failure".

Don't mean to spark or fuel any major discussion on this, but other than sec=
onding that, I'd like to add in that if you need anything that advanced, cha=
nces are that you should either look at simplifying (wildcard usernames, etc=
), look at other authentication-systems (PAM), or set up a build-sytem for p=
g_hba.=20

Terje

Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

From

Magnus Hagander

Date:

12 August 2013, 16:10:01

On Thu, Aug 8, 2013 at 2:39 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> hv@tbz-pariv.de writes:
>> For easier deployment it would be nice to have an include_dir directive in
>> pg_hba.conf.
>
> This doesn't seem like a remarkably good idea from here, mainly because
> entries in pg_hba.conf are critically order-dependent.  Dropping random
> entries into a conf.d-like directory could produce unexpected results
> --- and in this case, "unexpected result" probably means "security
> failure".

If they are random, yes. You could easliy define them as ordered
though, by strict alphabetical ordering etc.

It's still a pretty decently sized footgun for people though, and I'm
not sure how useful it would actually be. And with the risk of
misconfiguration being a security hole rather than a badly configured
database (which would be the problem with a simliar thing for
postgresql.conf).

Perhaps the OP has a specific usecase to share where this would
actually be both safe and useful?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/