Thread: distinguish between all and "all" in pg_hba.conf
Tom Lane wrote:
>Andrew Dunstan <andrew@dunslane.net> writes:
>
>
>>The minimal disturbance change might be to teach the parser to
>>distinguish between a quoted 'all' and an unquoted 'all', and forget the
>>'*' idea.
>>
>>
>
>Probably we ought to go with that, on backwards-compatibility grounds.
>
>
>
OK, here's the patch. Should we also do this for "sameuser" and
"samegroup" for the sake of completness?
cheers
andrew
Index: hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
retrieving revision 1.118
diff -c -w -r1.118 hba.c
*** hba.c 5 Dec 2003 15:50:31 -0000 1.118
--- hba.c 19 Dec 2003 15:26:18 -0000
***************
*** 97,102 ****
--- 97,103 ----
char *end_buf = buf + (bufsz - 1);
bool in_quote = false;
bool was_quote = false;
+ bool saw_quote = false;
/* Move over initial whitespace and commas */
while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
***************
*** 149,155 ****
--- 150,159 ----
was_quote = false;
if (c == '"')
+ {
in_quote = !in_quote;
+ saw_quote = true;
+ }
c = getc(fp);
}
***************
*** 161,167 ****
--- 165,179 ----
if (c != EOF)
ungetc(c, fp);
}
+
+
+ /* append newline to a magical "all" */
+
+ if ( !saw_quote && strncmp(start_buf,"all",3) == 0 )
+ *buf++ = '\n';
+
*buf = '\0';
+
}
/*
***************
*** 446,452 ****
return true;
}
else if (strcmp(tok, user) == 0 ||
! strcmp(tok, "all") == 0)
return true;
}
--- 458,464 ----
return true;
}
else if (strcmp(tok, user) == 0 ||
! strcmp(tok, "all\n") == 0)
return true;
}
***************
*** 463,469 ****
for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
{
! if (strcmp(tok, "all") == 0)
return true;
else if (strcmp(tok, "sameuser") == 0)
{
--- 475,481 ----
for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
{
! if (strcmp(tok, "all\n") == 0)
return true;
else if (strcmp(tok, "sameuser") == 0)
{
Index: pg_hba.conf.sample
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.47
diff -c -w -r1.47 pg_hba.conf.sample
*** pg_hba.conf.sample 13 Sep 2003 16:43:38 -0000 1.47
--- pg_hba.conf.sample 19 Dec 2003 15:26:18 -0000
***************
*** 35,40 ****
--- 35,44 ----
# encrypted passwords. OPTION is the ident map or the name of the PAM
# service.
#
+ # Database and user names containing spaces, commas, quotes and other special
+ # characters can be quoted. Quoting "all" makes the name lose its special
+ # character, and just match a database or username called "all".
+ #
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect, or use
***************
*** 59,62 ****
# IPv4-style local connections:
host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
! host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
--- 63,66 ----
# IPv4-style local connections:
host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
! host all all ::1/128 trust
I wrote:
> Tom Lane wrote:
>
>> Andrew Dunstan <andrew@dunslane.net> writes:
>>
>>
>>> The minimal disturbance change might be to teach the parser to
>>> distinguish between a quoted 'all' and an unquoted 'all', and forget
>>> the '*' idea.
>>>
>>
>>
>> Probably we ought to go with that, on backwards-compatibility grounds.
>>
>>
>>
>
> OK, here's the patch. Should we also do this for "sameuser" and
> "samegroup" for the sake of completness?
Revised patch for this as suggested by Tom.
cheers
andrew
Index: hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
retrieving revision 1.118
diff -c -w -r1.118 hba.c
*** hba.c 5 Dec 2003 15:50:31 -0000 1.118
--- hba.c 19 Dec 2003 17:42:20 -0000
***************
*** 87,102 ****
* token or EOF, whichever comes first. If no more tokens on line,
* return null string as *buf and position file to beginning of
* next line or EOF, whichever comes first. Allow spaces in quoted
! * strings. Terminate on unquoted commas. Handle comments.
*/
void
next_token(FILE *fp, char *buf, const int bufsz)
{
int c;
char *start_buf = buf;
! char *end_buf = buf + (bufsz - 1);
bool in_quote = false;
bool was_quote = false;
/* Move over initial whitespace and commas */
while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
--- 87,105 ----
* token or EOF, whichever comes first. If no more tokens on line,
* return null string as *buf and position file to beginning of
* next line or EOF, whichever comes first. Allow spaces in quoted
! * strings. Terminate on unquoted commas. Handle comments. Treat
! * unquoted keywords that might be user names or database names
! * specially, by appending a newline to them.
*/
void
next_token(FILE *fp, char *buf, const int bufsz)
{
int c;
char *start_buf = buf;
! char *end_buf = buf + (bufsz - 2);
bool in_quote = false;
bool was_quote = false;
+ bool saw_quote = false;
/* Move over initial whitespace and commas */
while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
***************
*** 149,155 ****
--- 152,161 ----
was_quote = false;
if (c == '"')
+ {
in_quote = !in_quote;
+ saw_quote = true;
+ }
c = getc(fp);
}
***************
*** 161,167 ****
--- 167,188 ----
if (c != EOF)
ungetc(c, fp);
}
+
+
+ if ( !saw_quote &&
+ (
+ strncmp(start_buf,"all",3) == 0 ||
+ strncmp(start_buf,"sameuser",8) == 0 ||
+ strncmp(start_buf,"samegroup",9) == 0
+ )
+ )
+ {
+ /* append newline to a magical keyword */
+ *buf++ = '\n';
+ }
+
*buf = '\0';
+
}
/*
***************
*** 446,452 ****
return true;
}
else if (strcmp(tok, user) == 0 ||
! strcmp(tok, "all") == 0)
return true;
}
--- 467,473 ----
return true;
}
else if (strcmp(tok, user) == 0 ||
! strcmp(tok, "all\n") == 0)
return true;
}
***************
*** 463,476 ****
for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
{
! if (strcmp(tok, "all") == 0)
return true;
! else if (strcmp(tok, "sameuser") == 0)
{
if (strcmp(dbname, user) == 0)
return true;
}
! else if (strcmp(tok, "samegroup") == 0)
{
if (check_group(dbname, user))
return true;
--- 484,497 ----
for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
{
! if (strcmp(tok, "all\n") == 0)
return true;
! else if (strcmp(tok, "sameuser\n") == 0)
{
if (strcmp(dbname, user) == 0)
return true;
}
! else if (strcmp(tok, "samegroup\n") == 0)
{
if (check_group(dbname, user))
return true;
***************
*** 1068,1074 ****
errmsg("cannot use Ident authentication without usermap field")));
found_entry = false;
}
! else if (strcmp(usermap_name, "sameuser") == 0)
{
if (strcmp(pg_user, ident_user) == 0)
found_entry = true;
--- 1089,1095 ----
errmsg("cannot use Ident authentication without usermap field")));
found_entry = false;
}
! else if (strcmp(usermap_name, "sameuser\n") == 0)
{
if (strcmp(pg_user, ident_user) == 0)
found_entry = true;
Index: pg_hba.conf.sample
===================================================================
RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.47
diff -c -w -r1.47 pg_hba.conf.sample
*** pg_hba.conf.sample 13 Sep 2003 16:43:38 -0000 1.47
--- pg_hba.conf.sample 19 Dec 2003 17:42:20 -0000
***************
*** 35,40 ****
--- 35,45 ----
# encrypted passwords. OPTION is the ident map or the name of the PAM
# service.
#
+ # Database and user names containing spaces, commas, quotes and other special
+ # characters can be quoted. Quoting one of the keywords "all", "sameuser" or
+ # "samegroup" makes the name lose its special character, and just match a
+ # database or username with that name.
+ #
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect, or use
***************
*** 59,62 ****
# IPv4-style local connections:
host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
! host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
--- 64,67 ----
# IPv4-style local connections:
host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
! host all all ::1/128 trust
That IPv6 cleanup is major!
> ! host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
> ! host all all ::1/128 trust
Your patch has been added to the PostgreSQL unapplied patches list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Andrew Dunstan wrote:
> I wrote:
>
> > Tom Lane wrote:
> >
> >> Andrew Dunstan <andrew@dunslane.net> writes:
> >>
> >>
> >>> The minimal disturbance change might be to teach the parser to
> >>> distinguish between a quoted 'all' and an unquoted 'all', and forget
> >>> the '*' idea.
> >>>
> >>
> >>
> >> Probably we ought to go with that, on backwards-compatibility grounds.
> >>
> >>
> >>
> >
> > OK, here's the patch. Should we also do this for "sameuser" and
> > "samegroup" for the sake of completness?
>
>
>
> Revised patch for this as suggested by Tom.
>
> cheers
>
> andrew
>
> Index: hba.c
> ===================================================================
> RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
> retrieving revision 1.118
> diff -c -w -r1.118 hba.c
> *** hba.c 5 Dec 2003 15:50:31 -0000 1.118
> --- hba.c 19 Dec 2003 17:42:20 -0000
> ***************
> *** 87,102 ****
> * token or EOF, whichever comes first. If no more tokens on line,
> * return null string as *buf and position file to beginning of
> * next line or EOF, whichever comes first. Allow spaces in quoted
> ! * strings. Terminate on unquoted commas. Handle comments.
> */
> void
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> char *start_buf = buf;
> ! char *end_buf = buf + (bufsz - 1);
> bool in_quote = false;
> bool was_quote = false;
>
> /* Move over initial whitespace and commas */
> while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
> --- 87,105 ----
> * token or EOF, whichever comes first. If no more tokens on line,
> * return null string as *buf and position file to beginning of
> * next line or EOF, whichever comes first. Allow spaces in quoted
> ! * strings. Terminate on unquoted commas. Handle comments. Treat
> ! * unquoted keywords that might be user names or database names
> ! * specially, by appending a newline to them.
> */
> void
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> char *start_buf = buf;
> ! char *end_buf = buf + (bufsz - 2);
> bool in_quote = false;
> bool was_quote = false;
> + bool saw_quote = false;
>
> /* Move over initial whitespace and commas */
> while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
> ***************
> *** 149,155 ****
> --- 152,161 ----
> was_quote = false;
>
> if (c == '"')
> + {
> in_quote = !in_quote;
> + saw_quote = true;
> + }
>
> c = getc(fp);
> }
> ***************
> *** 161,167 ****
> --- 167,188 ----
> if (c != EOF)
> ungetc(c, fp);
> }
> +
> +
> + if ( !saw_quote &&
> + (
> + strncmp(start_buf,"all",3) == 0 ||
> + strncmp(start_buf,"sameuser",8) == 0 ||
> + strncmp(start_buf,"samegroup",9) == 0
> + )
> + )
> + {
> + /* append newline to a magical keyword */
> + *buf++ = '\n';
> + }
> +
> *buf = '\0';
> +
> }
>
> /*
> ***************
> *** 446,452 ****
> return true;
> }
> else if (strcmp(tok, user) == 0 ||
> ! strcmp(tok, "all") == 0)
> return true;
> }
>
> --- 467,473 ----
> return true;
> }
> else if (strcmp(tok, user) == 0 ||
> ! strcmp(tok, "all\n") == 0)
> return true;
> }
>
> ***************
> *** 463,476 ****
>
> for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
> {
> ! if (strcmp(tok, "all") == 0)
> return true;
> ! else if (strcmp(tok, "sameuser") == 0)
> {
> if (strcmp(dbname, user) == 0)
> return true;
> }
> ! else if (strcmp(tok, "samegroup") == 0)
> {
> if (check_group(dbname, user))
> return true;
> --- 484,497 ----
>
> for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
> {
> ! if (strcmp(tok, "all\n") == 0)
> return true;
> ! else if (strcmp(tok, "sameuser\n") == 0)
> {
> if (strcmp(dbname, user) == 0)
> return true;
> }
> ! else if (strcmp(tok, "samegroup\n") == 0)
> {
> if (check_group(dbname, user))
> return true;
> ***************
> *** 1068,1074 ****
> errmsg("cannot use Ident authentication without usermap field")));
> found_entry = false;
> }
> ! else if (strcmp(usermap_name, "sameuser") == 0)
> {
> if (strcmp(pg_user, ident_user) == 0)
> found_entry = true;
> --- 1089,1095 ----
> errmsg("cannot use Ident authentication without usermap field")));
> found_entry = false;
> }
> ! else if (strcmp(usermap_name, "sameuser\n") == 0)
> {
> if (strcmp(pg_user, ident_user) == 0)
> found_entry = true;
> Index: pg_hba.conf.sample
> ===================================================================
> RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
> retrieving revision 1.47
> diff -c -w -r1.47 pg_hba.conf.sample
> *** pg_hba.conf.sample 13 Sep 2003 16:43:38 -0000 1.47
> --- pg_hba.conf.sample 19 Dec 2003 17:42:20 -0000
> ***************
> *** 35,40 ****
> --- 35,45 ----
> # encrypted passwords. OPTION is the ident map or the name of the PAM
> # service.
> #
> + # Database and user names containing spaces, commas, quotes and other special
> + # characters can be quoted. Quoting one of the keywords "all", "sameuser" or
> + # "samegroup" makes the name lose its special character, and just match a
> + # database or username with that name.
> + #
> # This file is read on server startup and when the postmaster receives
> # a SIGHUP signal. If you edit the file on a running system, you have
> # to SIGHUP the postmaster for the changes to take effect, or use
> ***************
> *** 59,62 ****
> # IPv4-style local connections:
> host all all 127.0.0.1 255.255.255.255 trust
> # IPv6-style local connections:
> ! host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
> --- 64,67 ----
> # IPv4-style local connections:
> host all all 127.0.0.1 255.255.255.255 trust
> # IPv6-style local connections:
> ! host all all ::1/128 trust
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Patch applied. Thanks.
---------------------------------------------------------------------------
Andrew Dunstan wrote:
> I wrote:
>
> > Tom Lane wrote:
> >
> >> Andrew Dunstan <andrew@dunslane.net> writes:
> >>
> >>
> >>> The minimal disturbance change might be to teach the parser to
> >>> distinguish between a quoted 'all' and an unquoted 'all', and forget
> >>> the '*' idea.
> >>>
> >>
> >>
> >> Probably we ought to go with that, on backwards-compatibility grounds.
> >>
> >>
> >>
> >
> > OK, here's the patch. Should we also do this for "sameuser" and
> > "samegroup" for the sake of completness?
>
>
>
> Revised patch for this as suggested by Tom.
>
> cheers
>
> andrew
>
> Index: hba.c
> ===================================================================
> RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/hba.c,v
> retrieving revision 1.118
> diff -c -w -r1.118 hba.c
> *** hba.c 5 Dec 2003 15:50:31 -0000 1.118
> --- hba.c 19 Dec 2003 17:42:20 -0000
> ***************
> *** 87,102 ****
> * token or EOF, whichever comes first. If no more tokens on line,
> * return null string as *buf and position file to beginning of
> * next line or EOF, whichever comes first. Allow spaces in quoted
> ! * strings. Terminate on unquoted commas. Handle comments.
> */
> void
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> char *start_buf = buf;
> ! char *end_buf = buf + (bufsz - 1);
> bool in_quote = false;
> bool was_quote = false;
>
> /* Move over initial whitespace and commas */
> while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
> --- 87,105 ----
> * token or EOF, whichever comes first. If no more tokens on line,
> * return null string as *buf and position file to beginning of
> * next line or EOF, whichever comes first. Allow spaces in quoted
> ! * strings. Terminate on unquoted commas. Handle comments. Treat
> ! * unquoted keywords that might be user names or database names
> ! * specially, by appending a newline to them.
> */
> void
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> char *start_buf = buf;
> ! char *end_buf = buf + (bufsz - 2);
> bool in_quote = false;
> bool was_quote = false;
> + bool saw_quote = false;
>
> /* Move over initial whitespace and commas */
> while ((c = getc(fp)) != EOF && (pg_isblank(c) || c == ','))
> ***************
> *** 149,155 ****
> --- 152,161 ----
> was_quote = false;
>
> if (c == '"')
> + {
> in_quote = !in_quote;
> + saw_quote = true;
> + }
>
> c = getc(fp);
> }
> ***************
> *** 161,167 ****
> --- 167,188 ----
> if (c != EOF)
> ungetc(c, fp);
> }
> +
> +
> + if ( !saw_quote &&
> + (
> + strncmp(start_buf,"all",3) == 0 ||
> + strncmp(start_buf,"sameuser",8) == 0 ||
> + strncmp(start_buf,"samegroup",9) == 0
> + )
> + )
> + {
> + /* append newline to a magical keyword */
> + *buf++ = '\n';
> + }
> +
> *buf = '\0';
> +
> }
>
> /*
> ***************
> *** 446,452 ****
> return true;
> }
> else if (strcmp(tok, user) == 0 ||
> ! strcmp(tok, "all") == 0)
> return true;
> }
>
> --- 467,473 ----
> return true;
> }
> else if (strcmp(tok, user) == 0 ||
> ! strcmp(tok, "all\n") == 0)
> return true;
> }
>
> ***************
> *** 463,476 ****
>
> for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
> {
> ! if (strcmp(tok, "all") == 0)
> return true;
> ! else if (strcmp(tok, "sameuser") == 0)
> {
> if (strcmp(dbname, user) == 0)
> return true;
> }
> ! else if (strcmp(tok, "samegroup") == 0)
> {
> if (check_group(dbname, user))
> return true;
> --- 484,497 ----
>
> for (tok = strtok(param_str, MULTI_VALUE_SEP); tok != NULL; tok = strtok(NULL, MULTI_VALUE_SEP))
> {
> ! if (strcmp(tok, "all\n") == 0)
> return true;
> ! else if (strcmp(tok, "sameuser\n") == 0)
> {
> if (strcmp(dbname, user) == 0)
> return true;
> }
> ! else if (strcmp(tok, "samegroup\n") == 0)
> {
> if (check_group(dbname, user))
> return true;
> ***************
> *** 1068,1074 ****
> errmsg("cannot use Ident authentication without usermap field")));
> found_entry = false;
> }
> ! else if (strcmp(usermap_name, "sameuser") == 0)
> {
> if (strcmp(pg_user, ident_user) == 0)
> found_entry = true;
> --- 1089,1095 ----
> errmsg("cannot use Ident authentication without usermap field")));
> found_entry = false;
> }
> ! else if (strcmp(usermap_name, "sameuser\n") == 0)
> {
> if (strcmp(pg_user, ident_user) == 0)
> found_entry = true;
> Index: pg_hba.conf.sample
> ===================================================================
> RCS file: /projects/cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
> retrieving revision 1.47
> diff -c -w -r1.47 pg_hba.conf.sample
> *** pg_hba.conf.sample 13 Sep 2003 16:43:38 -0000 1.47
> --- pg_hba.conf.sample 19 Dec 2003 17:42:20 -0000
> ***************
> *** 35,40 ****
> --- 35,45 ----
> # encrypted passwords. OPTION is the ident map or the name of the PAM
> # service.
> #
> + # Database and user names containing spaces, commas, quotes and other special
> + # characters can be quoted. Quoting one of the keywords "all", "sameuser" or
> + # "samegroup" makes the name lose its special character, and just match a
> + # database or username with that name.
> + #
> # This file is read on server startup and when the postmaster receives
> # a SIGHUP signal. If you edit the file on a running system, you have
> # to SIGHUP the postmaster for the changes to take effect, or use
> ***************
> *** 59,62 ****
> # IPv4-style local connections:
> host all all 127.0.0.1 255.255.255.255 trust
> # IPv6-style local connections:
> ! host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
> --- 64,67 ----
> # IPv4-style local connections:
> host all all 127.0.0.1 255.255.255.255 trust
> # IPv6-style local connections:
> ! host all all ::1/128 trust
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073