Thread: getpeereid() for local ident
Regarding the following "openbsd getpeereid(), local ident:" thread on the pgsql-patches list, Nov 2002: Bruce Momjian wrote: > Please send over the patch and I will see if I can get it in. I had > meant to add getpeereid() for OpenBSD myself but never go the time. > ... > William Ahern wrote: > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post > > said that something like it was already in, but "not using > > getpeereid". however, openbsd only supports getpeereid(). will this > > patch be implemented? I needed the local ident authentication feature on OpenBSD and it seemed simple enough, so I implemented it myself. I have attached my patch, which was made for the 7.3.1 source tree. (The patch referenced above seems to add a new authentication method rather than extending the current local ident support.)
My previous post seems to have been corrupted in some way. Or at least it appears broken on http://archives.postgresql.org. I'll try again...
Both emails look good. Thanks. This will be in 7.4. --------------------------------------------------------------------------- Alex Cichowski wrote: > My previous post seems to have been corrupted in some way. Or at least it > appears broken on http://archives.postgresql.org. I'll try again... > > >From thread "openbsd getpeereid(), local ident:" (Nov 2002): > Bruce Momjian wrote: > > Please send over the patch and I will see if I can get it in. I had > > meant to add getpeereid() for OpenBSD myself but never go the time. > > ... > > William Ahern wrote: > > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post > > > said that something like it was already in, but "not using > > > getpeereid". however, openbsd only supports getpeereid(). will this > > > patch be implemented? > > I needed the local ident authentication feature on OpenBSD and it seemed > simple enough, so I implemented it myself. I have included my patch below, > which was made for the 7.3.1 source tree. (The patch referenced above > seems to add a new authentication method rather than extending the current > local ident support.) > > >From thread "Add another AUTHTYPE for UNIX-domain connections" (Dec 2001): > Bruce Momjian wrote: > > OpenBSD implements only getpeereid(). I have added this to the TODO > > list. We already have the other BSD's covered, and Linux. I am > > concerned about moving to getpeereid() on the other BSD's because we > > have working code already for them and I am not sure how new the OS has > > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4? > > I have put the getpeereid() code last in the #elif chain in this patch, so > getpeereid() will only be used if there is no other alternative. > > If you wish to use this patch, please verify that I have added the > autoconf check for getpeereid() correctly, as I am not very familiar with > autoconf. > > Sincerely, > Alex > > diff -uNr postgresql-7.3.1.orig/configure postgresql-7.3.1/configure > --- postgresql-7.3.1.orig/configure Wed Dec 18 12:37:17 2002 > +++ postgresql-7.3.1/configure Sat Jan 25 16:54:43 2003 > @@ -9819,7 +9819,8 @@ > > > > -for ac_func in cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync > + > +for ac_func in cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync getpeereid > do > as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` > echo "$as_me:$LINENO: checking for $ac_func" >&5 > diff -uNr postgresql-7.3.1.orig/configure.in postgresql-7.3.1/configure.in > --- postgresql-7.3.1.orig/configure.in Wed Dec 18 12:37:20 2002 > +++ postgresql-7.3.1/configure.in Sat Jan 25 16:54:43 2003 > @@ -782,7 +782,7 @@ > # SunOS doesn't handle negative byte comparisons properly with +/- return > AC_FUNC_MEMCMP > > -AC_CHECK_FUNCS([cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync]) > +AC_CHECK_FUNCS([cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync getpeereid]) > > AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>]) > > diff -uNr postgresql-7.3.1.orig/src/backend/libpq/hba.c postgresql-7.3.1/src/backend/libpq/hba.c > --- postgresql-7.3.1.orig/src/backend/libpq/hba.c Sun Dec 15 05:19:43 2002 > +++ postgresql-7.3.1/src/backend/libpq/hba.c Sat Jan 25 16:54:43 2003 > @@ -1311,6 +1311,30 @@ > > return true; > > +#elif defined(HAVE_GETPEEREID) > + uid_t euid; > + gid_t egid; > + struct passwd *pw; > + > + if (getpeereid(sock, &euid, &egid) != 0) > + { > + elog(LOG, "ident_unix: getpeereid() error: %m"); > + return false; > + } > + > + pw = getpwuid(euid); > + > + if (pw == NULL) > + { > + elog(LOG, "ident_unix: unknown local user with uid %d", > + (int) euid); > + return false; > + } > + > + StrNCpy(ident_user, pw->pw_name, IDENT_USERNAME_MAX + 1); > + > + return true; > + > #else > elog(LOG, "'ident' auth is not supported on local connections on this platform"); > > diff -uNr postgresql-7.3.1.orig/src/include/pg_config.h.in postgresql-7.3.1/src/include/pg_config.h.in > --- postgresql-7.3.1.orig/src/include/pg_config.h.in Fri Nov 8 15:53:09 2002 > +++ postgresql-7.3.1/src/include/pg_config.h.in Sat Jan 25 16:59:51 2003 > @@ -655,6 +655,9 @@ > /* Define exactly one of these symbols to select shared-mem implementation */ > #undef USE_SYSV_SHARED_MEMORY > > +/* Define if you have getpeereid() */ > +#undef HAVE_GETPEEREID > + > > /* > *------------------------------------------------------------------------ > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Your patch has been added to the PostgreSQL unapplied patches list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Alex Cichowski wrote:
> Regarding the following "openbsd getpeereid(), local ident:" thread on the
> pgsql-patches list, Nov 2002:
>
> Bruce Momjian wrote:
> > Please send over the patch and I will see if I can get it in. I had
> > meant to add getpeereid() for OpenBSD myself but never go the time.
> > ...
> > William Ahern wrote:
> > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > > said that something like it was already in, but "not using
> > > getpeereid". however, openbsd only supports getpeereid(). will this
> > > patch be implemented?
>
> I needed the local ident authentication feature on OpenBSD and it seemed
> simple enough, so I implemented it myself. I have attached my patch, which
> was made for the 7.3.1 source tree. (The patch referenced above seems to
> add a new authentication method rather than extending the current local
> ident support.)
>
> >From the Dec 2001 pgsql-patches thread "Add another AUTHTYPE for
> UNIX-domain connections":
>
> Bruce Momjian wrote:
> > OpenBSD implements only getpeereid(). I have added this to the TODO
> > list. We already have the other BSD's covered, and Linux. I am
> > concerned about moving to getpeereid() on the other BSD's because we
> > have working code already for them and I am not sure how new the OS has
> > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4?
>
> I have put the getpeereid() code last in the #elif chain in this patch, so
> getpeereid() will only be used if there is no other alternative.
>
> If you wish to use this patch, please verify that I have added the
> autoconf check for getpeereid() correctly, as I am not very familiar with
> autoconf.
>
> Sincerely,
> Alex
Content-Description: Patch
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Seems I already got OpenBSD working in current CVS:
revision 1.88
date: 2002/12/03 21:50:44; author: momjian; state: Exp; lines: +29 -2
Add OpenBSD local indent credentials, from William Ahern.
If you want to try our CVS version or the nightly snapshots on the FTP
server, I think you will find it works fine.
---------------------------------------------------------------------------
Alex Cichowski wrote:
> Regarding the following "openbsd getpeereid(), local ident:" thread on the
> pgsql-patches list, Nov 2002:
>
> Bruce Momjian wrote:
> > Please send over the patch and I will see if I can get it in. I had
> > meant to add getpeereid() for OpenBSD myself but never go the time.
> > ...
> > William Ahern wrote:
> > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > > said that something like it was already in, but "not using
> > > getpeereid". however, openbsd only supports getpeereid(). will this
> > > patch be implemented?
>
> I needed the local ident authentication feature on OpenBSD and it seemed
> simple enough, so I implemented it myself. I have attached my patch, which
> was made for the 7.3.1 source tree. (The patch referenced above seems to
> add a new authentication method rather than extending the current local
> ident support.)
>
> >From the Dec 2001 pgsql-patches thread "Add another AUTHTYPE for
> UNIX-domain connections":
>
> Bruce Momjian wrote:
> > OpenBSD implements only getpeereid(). I have added this to the TODO
> > list. We already have the other BSD's covered, and Linux. I am
> > concerned about moving to getpeereid() on the other BSD's because we
> > have working code already for them and I am not sure how new the OS has
> > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4?
>
> I have put the getpeereid() code last in the #elif chain in this patch, so
> getpeereid() will only be used if there is no other alternative.
>
> If you wish to use this patch, please verify that I have added the
> autoconf check for getpeereid() correctly, as I am not very familiar with
> autoconf.
>
> Sincerely,
> Alex
Content-Description: Patch
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073