Thread: Silent failure with invalid hba_file setting
Hi, I noticed that if the hba_file setting in the config is uncommented and set to a directory instead of the full path to the file, no error occurs when the service starts. For example: hba_file = '/home/thom/Development/data' The problem with this is you cannot get into the database as it acts as if it did find the hba file but found it empty. Shouldn't a check be in place to ensure that the parameter resolves to a file rather than anything else? And even if it does find a file, but it's empty, shouldn't it also produce a warning of some kind? -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Thom Brown <thom@linux.com> writes:
> I noticed that if the hba_file setting in the config is uncommented
> and set to a directory instead of the full path to the file, no error
> occurs when the service starts.
When I try that, I get a boatload of errors ending with
FATAL: could not load pg_hba.conf
I suspect what happened to you is that the directory read like an empty
file, so Postgres didn't see any error condition. I suppose we could
add an fstat test to see if we'd opened something other than a regular
file, but I'm not terribly excited about it.
> The problem with this is you cannot get into the database as it acts
> as if it did find the hba file but found it empty.
Well, an actually empty pg_hba.conf file would have the same problem,
and it's pretty hard to see any situation where it would be useful to
start the postmaster and not let it accept any connections. Should we
add a check to consider it an error if the file doesn't contain at least
one HBA record?
regards, tom lane
On 19 October 2011 00:38, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Thom Brown <thom@linux.com> writes: >> I noticed that if the hba_file setting in the config is uncommented >> and set to a directory instead of the full path to the file, no error >> occurs when the service starts. > > When I try that, I get a boatload of errors ending with > FATAL: could not load pg_hba.conf > > I suspect what happened to you is that the directory read like an empty > file, so Postgres didn't see any error condition. I suppose we could > add an fstat test to see if we'd opened something other than a regular > file, but I'm not terribly excited about it. > >> The problem with this is you cannot get into the database as it acts >> as if it did find the hba file but found it empty. > > Well, an actually empty pg_hba.conf file would have the same problem, > and it's pretty hard to see any situation where it would be useful to > start the postmaster and not let it accept any connections. Should we > add a check to consider it an error if the file doesn't contain at least > one HBA record? That would solve both problems, so +1 for that. -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote: > > The problem with this is you cannot get into the database as it acts > > as if it did find the hba file but found it empty. > > Well, an actually empty pg_hba.conf file would have the same problem, > and it's pretty hard to see any situation where it would be useful to > start the postmaster and not let it accept any connections. Should we > add a check to consider it an error if the file doesn't contain at least > one HBA record? If you try to connect and it doesn't find a record, it will tell you. I wouldn't add extra special checks for that. It might not be completely unreasonable to have a standby that no one can connect to, for example.
Peter Eisentraut <peter_e@gmx.net> writes:
> On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:
>> Well, an actually empty pg_hba.conf file would have the same problem,
>> and it's pretty hard to see any situation where it would be useful to
>> start the postmaster and not let it accept any connections. Should we
>> add a check to consider it an error if the file doesn't contain at least
>> one HBA record?
> If you try to connect and it doesn't find a record, it will tell you.
Yeah, but the damage is already done. I see the main practical benefit
of this being to prevent accidental loading of a trashed pg_hba file.
> I wouldn't add extra special checks for that. It might not be
> completely unreasonable to have a standby that no one can connect to,
> for example.
Well, you couldn't monitor its state then, so I don't find that example
very convincing. But if you were intent on having that, you could
easily set up a pg_hba file containing only "reject" entries.
regards, tom lane
<p><br /> On Oct 19, 2011 6:21 AM, "Tom Lane" <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>> wrote:<br/> ><br /> > Peter Eisentraut <<a href="mailto:peter_e@gmx.net">peter_e@gmx.net</a>> writes:<br /> >> On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:<br /> > >> Well, an actually empty pg_hba.conf filewould have the same problem,<br /> > >> and it's pretty hard to see any situation where it would be useful to<br/> > >> start the postmaster and not let it accept any connections. Should we<br /> > >> add a checkto consider it an error if the file doesn't contain at least<br /> > >> one HBA record?<br /> ><br /> >> If you try to connect and it doesn't find a record, it will tell you.<br /> ><br /> > Yeah, but the damageis already done. I see the main practical benefit<br /> > of this being to prevent accidental loading of a trashedpg_hba file.<p>Yeah, definitely. It's very much a pita when you accidentally do that with a syntax error on <8.4,%. So while I haven't actually managed to hit his specific problem myself, +1 for this approach. <br /><p>> >I wouldn't add extra special checks for that. It might not be<br /> > > completely unreasonable to have a standbythat no one can connect to,<br /> > > for example.<br /> ><br /> > Well, you couldn't monitor its statethen, so I don't find that example<br /> > very convincing. But if you were intent on having that, you could<br/> > easily set up a pg_hba file containing only "reject" entries.<br /> ><p>Yeah, seems reasonable to puta (very) small amount of extra work in the path of a very uncommon scenario in order to protect users in the common one...<p>/Magnus <br />
On 19 October 2011 05:50, Peter Eisentraut <peter_e@gmx.net> wrote: > On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote: >> > The problem with this is you cannot get into the database as it acts >> > as if it did find the hba file but found it empty. >> >> Well, an actually empty pg_hba.conf file would have the same problem, >> and it's pretty hard to see any situation where it would be useful to >> start the postmaster and not let it accept any connections. Should we >> add a check to consider it an error if the file doesn't contain at least >> one HBA record? > > If you try to connect and it doesn't find a record, it will tell you. Yes, but then the user could end up pulling their hair out trying to figure out why it's not matching any of the rules in the pg_hba.conf file, when it's not being used at all. Because there would have been no indication that it failed to find the file in question when the service started, the user may, rightly or wrongly, assume that the file was being read, but they had somehow misconfigured the file. -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 19 October 2011 05:20, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Peter Eisentraut <peter_e@gmx.net> writes: >> I wouldn't add extra special checks for that. It might not be >> completely unreasonable to have a standby that no one can connect to, >> for example. > > Well, you couldn't monitor its state then, so I don't find that example > very convincing. But if you were intent on having that, you could > easily set up a pg_hba file containing only "reject" entries. I hadn't noticed you'd committed some changes around this until now. Thanks. -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company