Thread: getpeereid() for local ident

getpeereid() for local ident

From
Alex Cichowski
Date:
Regarding the following "openbsd getpeereid(), local ident:" thread on the
pgsql-patches list, Nov 2002:

Bruce Momjian wrote:
> Please send over the patch and I will see if I can get it in.  I had
> meant to add getpeereid() for OpenBSD myself but never go the time.
> ...
> William Ahern wrote:
> > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > said that something like it was already in, but "not using
> > getpeereid". however, openbsd only supports getpeereid(). will this
> > patch be implemented?

I needed the local ident authentication feature on OpenBSD and it seemed
simple enough, so I implemented it myself. I have attached my patch, which
was made for the 7.3.1 source tree. (The patch referenced above seems to
add a new authentication method rather than extending the current local
ident support.)

Re: getpeereid() for local ident

From
Alex Cichowski
Date:
My previous post seems to have been corrupted in some way. Or at least it
appears broken on http://archives.postgresql.org. I'll try again...

Re: getpeereid() for local ident

From
Bruce Momjian
Date:
Both emails look good. Thanks.  This will be in 7.4.

---------------------------------------------------------------------------

Alex Cichowski wrote:
> My previous post seems to have been corrupted in some way. Or at least it
> appears broken on http://archives.postgresql.org. I'll try again...
>
> >From thread "openbsd getpeereid(), local ident:" (Nov 2002):
> Bruce Momjian wrote:
> > Please send over the patch and I will see if I can get it in.  I had
> > meant to add getpeereid() for OpenBSD myself but never go the time.
> > ...
> > William Ahern wrote:
> > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > > said that something like it was already in, but "not using
> > > getpeereid". however, openbsd only supports getpeereid(). will this
> > > patch be implemented?
>
> I needed the local ident authentication feature on OpenBSD and it seemed
> simple enough, so I implemented it myself. I have included my patch below,
> which was made for the 7.3.1 source tree. (The patch referenced above
> seems to add a new authentication method rather than extending the current
> local ident support.)
>
> >From thread "Add another AUTHTYPE for UNIX-domain connections" (Dec 2001):
> Bruce Momjian wrote:
> > OpenBSD implements only getpeereid().  I have added this to the TODO
> > list.  We already have the other BSD's covered, and Linux.  I am
> > concerned about moving to getpeereid() on the other BSD's because we
> > have working code already for them and I am not sure how new the OS has
> > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4?
>
> I have put the getpeereid() code last in the #elif chain in this patch, so
> getpeereid() will only be used if there is no other alternative.
>
> If you wish to use this patch, please verify that I have added the
> autoconf check for getpeereid() correctly, as I am not very familiar with
> autoconf.
>
> Sincerely,
> Alex
>
> diff -uNr postgresql-7.3.1.orig/configure postgresql-7.3.1/configure
> --- postgresql-7.3.1.orig/configure    Wed Dec 18 12:37:17 2002
> +++ postgresql-7.3.1/configure    Sat Jan 25 16:54:43 2003
> @@ -9819,7 +9819,8 @@
>
>
>
> -for ac_func in cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync
> +
> +for ac_func in cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync
getpeereid
>  do
>  as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
>  echo "$as_me:$LINENO: checking for $ac_func" >&5
> diff -uNr postgresql-7.3.1.orig/configure.in postgresql-7.3.1/configure.in
> --- postgresql-7.3.1.orig/configure.in    Wed Dec 18 12:37:20 2002
> +++ postgresql-7.3.1/configure.in    Sat Jan 25 16:54:43 2003
> @@ -782,7 +782,7 @@
>  # SunOS doesn't handle negative byte comparisons properly with +/- return
>  AC_FUNC_MEMCMP
>
> -AC_CHECK_FUNCS([cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen
fdatasync])
> +AC_CHECK_FUNCS([cbrt fcvt getopt_long memmove pstat setproctitle setsid sigprocmask sysconf waitpid dlopen fdatasync
getpeereid])
>
>  AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>])
>
> diff -uNr postgresql-7.3.1.orig/src/backend/libpq/hba.c postgresql-7.3.1/src/backend/libpq/hba.c
> --- postgresql-7.3.1.orig/src/backend/libpq/hba.c    Sun Dec 15 05:19:43 2002
> +++ postgresql-7.3.1/src/backend/libpq/hba.c    Sat Jan 25 16:54:43 2003
> @@ -1311,6 +1311,30 @@
>
>      return true;
>
> +#elif defined(HAVE_GETPEEREID)
> +    uid_t euid;
> +    gid_t egid;
> +    struct passwd *pw;
> +
> +    if (getpeereid(sock, &euid, &egid) != 0)
> +    {
> +        elog(LOG, "ident_unix: getpeereid() error: %m");
> +        return false;
> +    }
> +
> +    pw = getpwuid(euid);
> +
> +    if (pw == NULL)
> +    {
> +        elog(LOG, "ident_unix: unknown local user with uid %d",
> +             (int) euid);
> +        return false;
> +    }
> +
> +    StrNCpy(ident_user, pw->pw_name, IDENT_USERNAME_MAX + 1);
> +
> +    return true;
> +
>  #else
>      elog(LOG, "'ident' auth is not supported on local connections on this platform");
>
> diff -uNr postgresql-7.3.1.orig/src/include/pg_config.h.in postgresql-7.3.1/src/include/pg_config.h.in
> --- postgresql-7.3.1.orig/src/include/pg_config.h.in    Fri Nov  8 15:53:09 2002
> +++ postgresql-7.3.1/src/include/pg_config.h.in    Sat Jan 25 16:59:51 2003
> @@ -655,6 +655,9 @@
>  /* Define exactly one of these symbols to select shared-mem implementation */
>  #undef USE_SYSV_SHARED_MEMORY
>
> +/* Define if you have getpeereid() */
> +#undef HAVE_GETPEEREID
> +
>
>  /*
>   *------------------------------------------------------------------------
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: getpeereid() for local ident

From
Bruce Momjian
Date:
Your patch has been added to the PostgreSQL unapplied patches list at:

    http://momjian.postgresql.org/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

---------------------------------------------------------------------------


Alex Cichowski wrote:
> Regarding the following "openbsd getpeereid(), local ident:" thread on the
> pgsql-patches list, Nov 2002:
>
> Bruce Momjian wrote:
> > Please send over the patch and I will see if I can get it in.  I had
> > meant to add getpeereid() for OpenBSD myself but never go the time.
> > ...
> > William Ahern wrote:
> > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > > said that something like it was already in, but "not using
> > > getpeereid". however, openbsd only supports getpeereid(). will this
> > > patch be implemented?
>
> I needed the local ident authentication feature on OpenBSD and it seemed
> simple enough, so I implemented it myself. I have attached my patch, which
> was made for the 7.3.1 source tree. (The patch referenced above seems to
> add a new authentication method rather than extending the current local
> ident support.)
>
> >From the Dec 2001 pgsql-patches thread "Add another AUTHTYPE for
> UNIX-domain connections":
>
> Bruce Momjian wrote:
> > OpenBSD implements only getpeereid().  I have added this to the TODO
> > list.  We already have the other BSD's covered, and Linux.  I am
> > concerned about moving to getpeereid() on the other BSD's because we
> > have working code already for them and I am not sure how new the OS has
> > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4?
>
> I have put the getpeereid() code last in the #elif chain in this patch, so
> getpeereid() will only be used if there is no other alternative.
>
> If you wish to use this patch, please verify that I have added the
> autoconf check for getpeereid() correctly, as I am not very familiar with
> autoconf.
>
> Sincerely,
> Alex

Content-Description: Patch

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: getpeereid() for local ident

From
Bruce Momjian
Date:
Seems I already got OpenBSD working in current CVS:

    revision 1.88
    date: 2002/12/03 21:50:44;  author: momjian;  state: Exp;  lines: +29 -2
    Add OpenBSD local indent credentials, from William Ahern.

If you want to try our CVS version or the nightly snapshots on the FTP
server, I think you will find it works fine.


---------------------------------------------------------------------------

Alex Cichowski wrote:
> Regarding the following "openbsd getpeereid(), local ident:" thread on the
> pgsql-patches list, Nov 2002:
>
> Bruce Momjian wrote:
> > Please send over the patch and I will see if I can get it in.  I had
> > meant to add getpeereid() for OpenBSD myself but never go the time.
> > ...
> > William Ahern wrote:
> > > there's a patch for getpeereid() dated Dec 3, 2001. a follow-up post
> > > said that something like it was already in, but "not using
> > > getpeereid". however, openbsd only supports getpeereid(). will this
> > > patch be implemented?
>
> I needed the local ident authentication feature on OpenBSD and it seemed
> simple enough, so I implemented it myself. I have attached my patch, which
> was made for the 7.3.1 source tree. (The patch referenced above seems to
> add a new authentication method rather than extending the current local
> ident support.)
>
> >From the Dec 2001 pgsql-patches thread "Add another AUTHTYPE for
> UNIX-domain connections":
>
> Bruce Momjian wrote:
> > OpenBSD implements only getpeereid().  I have added this to the TODO
> > list.  We already have the other BSD's covered, and Linux.  I am
> > concerned about moving to getpeereid() on the other BSD's because we
> > have working code already for them and I am not sure how new the OS has
> > to be to have getpeereid() support, i.e. is it in FreeBSD 4.4?
>
> I have put the getpeereid() code last in the #elif chain in this patch, so
> getpeereid() will only be used if there is no other alternative.
>
> If you wish to use this patch, please verify that I have added the
> autoconf check for getpeereid() correctly, as I am not very familiar with
> autoconf.
>
> Sincerely,
> Alex

Content-Description: Patch

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073