Thread: Allow IDENT authentication on local connections (Linux only)
Hello,
the attached patch against 7.1.2 allows to use identd-like authentication
on unix domain sockets.
This is done by getting the uid of the connecting process via
getsockopt(... SO_PEERCRED ...) which to my knowledge is Linux-specific,
but I may be wrong.
The patch does not contain a configure macro to enable the feature, add
#define HAVE_SO_PEERCRED 1
to include/config.h before building to activate it.
I have been using this feature since 7.0.1 and would be grateful if
something like this could be integrated.
Regards,
Helge
Attachment
This is an interesting patch. We have toyed with the idea before of getting credentials of unix-domain sockets. I think each OS has different ways of doing it. Solaris and BSD have different ways too. I don't see any configure.in code here to test for the CRED capability. How does this affect pg_hba.conf? Did you specify "trust" on that line? Do we test when they have specified trust, and if not, what word do we use? > Hello, > > the attached patch against 7.1.2 allows to use identd-like authentication > on unix domain sockets. > > This is done by getting the uid of the connecting process via > getsockopt(... SO_PEERCRED ...) which to my knowledge is Linux-specific, > but I may be wrong. > > The patch does not contain a configure macro to enable the feature, add > #define HAVE_SO_PEERCRED 1 > to include/config.h before building to activate it. > > I have been using this feature since 7.0.1 and would be grateful if > something like this could be integrated. > > Regards, > Helge Content-Description: [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 31 Jul 2001, Bruce Momjian wrote: > I don't see any configure.in code here to test for the CRED capability. No, as I wrote in my mail; wanted to get some comment first, if this is useful at all. I'm no autoconf guru, so there may be a better way (help wanted!), but here it goes as a quick hack: AC_EGREP_CPP(yes, #include <sys/socket.h> #ifdef SO_PEERCRED yes #endif ], AC_DEFINE(HAVE_SO_PEERCRED), []) and a corresponding entry to config.h.in: /* Define if you have SO_PEERCRED */ #undef HAVE_SO_PEERCRED I'll make a new patch if you prefer. > How does this affect pg_hba.conf? Did you specify "trust" on that line? simply specify "ident", like the following: local all ident sameuser > Do we test when they have specified trust, and if not, what word do we > use? No, this would change semantics of an existing keyword. I think it is quite logical to use "ident" as a keyword for both local and remote connections. Regards, Helge
> On Tue, 31 Jul 2001, Bruce Momjian wrote: > > I don't see any configure.in code here to test for the CRED capability. > No, as I wrote in my mail; wanted to get some comment first, if this > is useful at all. I'm no autoconf guru, so there may be a better > way (help wanted!), but here it goes as a quick hack: > > AC_EGREP_CPP(yes, > #include <sys/socket.h> > #ifdef SO_PEERCRED > yes > #endif > ], > AC_DEFINE(HAVE_SO_PEERCRED), > []) > > and a corresponding entry to config.h.in: > > /* Define if you have SO_PEERCRED */ > #undef HAVE_SO_PEERCRED OK, no problem. It is easy to add. > I'll make a new patch if you prefer. > > > How does this affect pg_hba.conf? Did you specify "trust" on that line? > simply specify "ident", like the following: > > local all ident sameuser > > > Do we test when they have specified trust, and if not, what word do we > > use? > No, this would change semantics of an existing keyword. I think it is > quite logical to use "ident" as a keyword for both local and remote > connections. This makes sense. We can't currently do local/indent and it makes sense to use that here. I figure we could add this and add other OS's as we need them. Does it report an pg_hba.conf error if your OS doesn't support this? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
There is a more complete version of this capability in the Debian patch
set. I think we've been waiting for Oliver to pull it out and submit it
as a patch...
regards, tom lane