Thread: Pg_hba not using local setting

Pg_hba not using local setting

From
James Hall
Date:
Hello,

Running version 7.1, have the following entry in PG_HBA.CONF:
---
Local        all        trust
Host        all        123.0.0.0        255.255.255.0
password
---

With that setting, anyone can login to the database [via our web based
interface]
WITHOUT a valid password. If I change local from trust to password then web
based users have to enter their specific password to login to the database.
But none of the backup scripts run because postgres needs a password.

Is this a bug, or do I have a misunderstanding of the local use?

Thanks,
-jim

Re: Pg_hba not using local setting

From
Tony Grant
Date:
On Fri, 2003-03-14 at 17:22, James Hall wrote:

> Running version 7.1, have the following entry in PG_HBA.CONF:
> ---
> Local        all        trust
> Host        all        123.0.0.0        255.255.255.0
> password
> ---
>
> With that setting, anyone can login to the database [via our web based
> interface]
> WITHOUT a valid password. If I change local from trust to password then web
> based users have to enter their specific password to login to the database.
> But none of the backup scripts run because postgres needs a password.
>
> Is this a bug, or do I have a misunderstanding of the local use?

What is your web interface programmed in?

I have setup a tomcat user who can access the database. So only tomcat
and the postgres users can access the database. Users log into the
application, not the database in my case. I think that might be a better
security model.

Cheers

Tony Grant
--
www.tgds.net Library management software toolkit,
redhat linux on Sony Vaio C1XD,
Dreamweaver MX with Tomcat and PostgreSQL


Re: Pg_hba not using local setting

From
Doug McNaught
Date:
James Hall <James.Hall@RadioShack.com> writes:

> Hello,
>
> Running version 7.1, have the following entry in PG_HBA.CONF:
> ---
> Local        all        trust
> Host        all        123.0.0.0        255.255.255.0
> password
> ---
>
> With that setting, anyone can login to the database [via our web based
> interface]
> WITHOUT a valid password. If I change local from trust to password then web
> based users have to enter their specific password to login to the database.
> But none of the backup scripts run because postgres needs a password.
>
> Is this a bug, or do I have a misunderstanding of the local use?

It sounds like you're running the webserver on the same machine as the
database.  If this is true, and if you're not using Java (which
doesn't do local sockets) the client access library is probably using
a local (AF_UNIX) socket to connect, which triggers the "Local" entry
in pg_hba.conf.

If you explicitly tell the webserver to connect using an IP address,
it should come in via a TCP connection and trigger the "Host" line
that you have.

-Doug

Re: Pg_hba not using local setting

From
James Hall
Date:
Thanks for your response.

I changed pg_hba.conf to include the server ip address as shown below:
---
Local        all        trust
Host        all        123.456.789.10        255.255.255.0
password
---

But still have the same result (users can login with any password if local
is set to trust). The web server is on the same machine as the database, no
java used.

Did I misunderstand your comment regarding telling the webserver to connect
using an IP address?

Thanks,
-jim


-----Original Message-----
From: Doug McNaught [mailto:doug@mcnaught.org]
Sent: Friday, March 14, 2003 10:38 AM
To: James Hall
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Pg_hba not using local setting


James Hall <James.Hall@RadioShack.com> writes:

> Hello,
>
> Running version 7.1, have the following entry in PG_HBA.CONF:
> ---
> Local        all        trust
> Host        all        123.0.0.0        255.255.255.0
> password
> ---
>
> With that setting, anyone can login to the database [via our web based
> interface] WITHOUT a valid password. If I change local from trust to
> password then web based users have to enter their specific password to
> login to the database. But none of the backup scripts run because
> postgres needs a password.
>
> Is this a bug, or do I have a misunderstanding of the local use?

It sounds like you're running the webserver on the same machine as the
database.  If this is true, and if you're not using Java (which doesn't do
local sockets) the client access library is probably using a local (AF_UNIX)
socket to connect, which triggers the "Local" entry in pg_hba.conf.

If you explicitly tell the webserver to connect using an IP address, it
should come in via a TCP connection and trigger the "Host" line that you
have.

-Doug

Re: Pg_hba not using local setting

From
Doug McNaught
Date:
James Hall <James.Hall@RadioShack.com> writes:

> Thanks for your response.
>
> I changed pg_hba.conf to include the server ip address as shown below:
> ---
> Local        all        trust
> Host        all        123.456.789.10        255.255.255.0
> password
> ---
>
> But still have the same result (users can login with any password if local
> is set to trust). The web server is on the same machine as the database, no
> java used.
>
> Did I misunderstand your comment regarding telling the webserver to connect
> using an IP address?

Yes.

You need to set the webapp's database config to make it connect to
an IP address instead of using the Unix socket (which it does by
default for same-machine connections).  I can't tell you how to do
this because you haven't said what language/app server you're using
for the website.

-Doug

Re: Pg_hba not using local setting

From
James Hall
Date:
I thought I may be confused.

I am using RH 7.1(apache) and perl.

Thanks,
-jim


-----Original Message-----
From: Doug McNaught [mailto:doug@mcnaught.org]
Sent: Friday, March 14, 2003 12:49 PM
To: James Hall
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Pg_hba not using local setting


James Hall <James.Hall@RadioShack.com> writes:

> Thanks for your response.
>
> I changed pg_hba.conf to include the server ip address as shown below:
> ---
> Local        all        trust
> Host        all        123.456.789.10        255.255.255.0
> password
> ---
>
> But still have the same result (users can login with any password if
> local is set to trust). The web server is on the same machine as the
> database, no java used.
>
> Did I misunderstand your comment regarding telling the webserver to
> connect using an IP address?

Yes.

You need to set the webapp's database config to make it connect to an IP
address instead of using the Unix socket (which it does by default for
same-machine connections).  I can't tell you how to do this because you
haven't said what language/app server you're using for the website.

-Doug

Re: Pg_hba not using local setting

From
Oliver Elphick
Date:
On Fri, 2003-03-14 at 18:48, Doug McNaught wrote:
> James Hall <James.Hall@RadioShack.com> writes:
>
> > Thanks for your response.
> >
> > I changed pg_hba.conf to include the server ip address as shown below:
> > ---
> > Local        all        trust
> > Host        all        123.456.789.10        255.255.255.0
> > password
> > ---
> >
> > But still have the same result (users can login with any password if local
> > is set to trust). The web server is on the same machine as the database, no
> > java used.
> >
> > Did I misunderstand your comment regarding telling the webserver to connect
> > using an IP address?
>
> Yes.
>
> You need to set the webapp's database config to make it connect to
> an IP address instead of using the Unix socket (which it does by
> default for same-machine connections).  I can't tell you how to do
> this because you haven't said what language/app server you're using
> for the website.

The webserver is on the same mahine and is not specifying a hostname
when it connects to PostgreSQL; therefore a Unix socket is used and the
local line in pg_hba.conf governs it.  If you tell it to connect to
localhost, it will use TCP/IP instead.  You then need a host line for
127.0.0.1.

--
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight, UK                             http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                 ========================================
     "Bless them which persecute you; bless, and curse not.
      Rejoice with them that do rejoice, and weep with them
      that weep. Recompense to no man evil for evil. Provide
      things honest in the sight of all men."
                                  Romans 12:14,15,17