Thoughts on pg_hba.conf rejection
When there is a specific reject rule, why does the server say
FATAL: no pg_hba.conf entry
That sounds like an administrative error, rather than a specific
decision on the part of an admin to reject the connection. Suggested
message would be
FATAL: connection rejected for host "xxx", user "xxxx", database "xxx"
Clearly needs to be secure. Does the second message give any information
to a would-be hacker than the first? I don't think so, but it certainly
helps an admin work out if they've missed something.
--
Simon Riggs www.2ndQuadrant.com
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: no pg_hba.conf entry
It's intentional. We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.
regards, tom lane
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: no pg_hba.conf entryIt's intentional. We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.
i just tried it in CVS and in 8.4 and when i put a reject rule on
pg_hba.conf what i get is:
psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "mic",
database "mic"
so we are giving a lot of info already changing "no pg_hba.conf entry"
for "connection rejected" doesn't seem like a lot more and the change
could be useful for a DBA understanding what happens
--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Asesoría y desarrollo de sistemas
Guayaquil - Ecuador
Cel. +59387171157
Jaime Casanova <jcasanov@systemguards.com.ec> writes:
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
It's intentional. We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.
i just tried it in CVS and in 8.4 and when i put a reject rule on
pg_hba.conf what i get is:
psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "mic",
database "mic"
so we are giving a lot of info already
All three of those data values are known to the client; they don't add
knowledge about what is in pg_hba.conf.
regards, tom lane
Clearly needs to be secure. Does the second message give any information
to a would-be hacker than the first? I don't think so, but it certainly
helps an admin work out if they've missed something.
I think this question needs a bona fide network security geek to decide,
rather than us database geeks. Hello! Is there a security hacker in
the house?
--
-- Josh Berkus
PostgreSQL Experts Inc.
http://www.pgexperts.com
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: no pg_hba.conf entryIt's intentional. We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.
The problem with the message is not that it's uninformative, but that
it's counterfactual.
...Robert
On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote:
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: no pg_hba.conf entryIt's intentional. We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.The problem with the message is not that it's uninformative, but that
it's counterfactual....Robert
I agree (I noticed and was bothered by this today, as a matter of irrelevant
fact). I can support the idea of exposing as little as possible of
pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that
standard. Just say something like "connection disallowed" and leave it at that
-- either it's disallowed by lack of a rule, or by existence of a "reject"
rule, or by something else entirely. As long as the message isn't clearly
wrong in the "reject" case, as it is now.
--
Joshua Tolley / eggyknap
End Point Corporation
http://www.endpoint.com
Joshua Tolley wrote:
-- Start of PGP signed section.
On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote:
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: ?no pg_hba.conf entryIt's intentional. ?We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.The problem with the message is not that it's uninformative, but that
it's counterfactual....Robert
I agree (I noticed and was bothered by this today, as a matter of irrelevant
fact). I can support the idea of exposing as little as possible of
pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that
standard. Just say something like "connection disallowed" and leave it at that
-- either it's disallowed by lack of a rule, or by existence of a "reject"
rule, or by something else entirely. As long as the message isn't clearly
wrong in the "reject" case, as it is now.
Did we come to any conclusion on this?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
* Bruce Momjian <bruce@momjian.us> [100414 16:20]:
Joshua Tolley wrote:
-- Start of PGP signed section.On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote:
On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Simon Riggs <simon@2ndQuadrant.com> writes:
When there is a specific reject rule, why does the server say
FATAL: ?no pg_hba.conf entryIt's intentional. ?We try to expose the minimum amount of knowledge
about the contents of pg_hba.conf to potential attackers.The problem with the message is not that it's uninformative, but that
it's counterfactual....Robert
I agree (I noticed and was bothered by this today, as a matter of irrelevant
fact). I can support the idea of exposing as little as possible of
pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that
standard. Just say something like "connection disallowed" and leave it at that
-- either it's disallowed by lack of a rule, or by existence of a "reject"
rule, or by something else entirely. As long as the message isn't clearly
wrong in the "reject" case, as it is now.Did we come to any conclusion on this?
I think it sort of just died. I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
"No pg_hba.conf authorizing entry"
That's no longer counter-factual, and works for both no entry, and a
rejecting entry...
a.
--
Aidan Van Dyk Create like a god,
aidan@highrise.ca command like a king,
http://www.highrise.ca/ work like a slave.
On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:
I think it sort of just died. I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
"No pg_hba.conf authorizing entry"That's no longer counter-factual, and works for both no entry, and a
rejecting entry...
That works for me. I don't have strong feelings about it so I'd
probably be OK to a variety of solutions subject to my previous
remarks, but that seems as good as anything.
...Robert
On Wed, Apr 14, 2010 at 4:28 PM, Robert Haas <robertmhaas@gmail.com> wrote:
On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:
I think it sort of just died. I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
"No pg_hba.conf authorizing entry"That's no longer counter-factual, and works for both no entry, and a
rejecting entry...That works for me. I don't have strong feelings about it so I'd
probably be OK to a variety of solutions subject to my previous
remarks, but that seems as good as anything.
Although on further reflection, part of me feels like it might be even
simpler and clearer to simply say:
connection not authorized
...Robert
On Wed, Apr 14, 2010 at 4:51 PM, Robert Haas <robertmhaas@gmail.com> wrote:
On Wed, Apr 14, 2010 at 4:28 PM, Robert Haas <robertmhaas@gmail.com> wrote:
On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:
I think it sort of just died. I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
"No pg_hba.conf authorizing entry"That's no longer counter-factual, and works for both no entry, and a
rejecting entry...That works for me. I don't have strong feelings about it so I'd
probably be OK to a variety of solutions subject to my previous
remarks, but that seems as good as anything.Although on further reflection, part of me feels like it might be even
simpler and clearer to simply say:connection not authorized
+1
--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Asesoría y desarrollo de sistemas
Guayaquil - Ecuador
Cel. +59387171157
Robert Haas <robertmhaas@gmail.com> writes:
On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:
I think it sort of just died. �I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
� "No pg_hba.conf authorizing entry"That's no longer counter-factual, and works for both no entry, and a
rejecting entry...
That works for me.
It needs copy-editing. Maybe
no pg_hba.conf entry allows access for host ... user ...
regards, tom lane
I wrote:
Robert Haas <robertmhaas@gmail.com> writes:
On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan@highrise.ca> wrote:
I think it sort of just died. �I'm in favour of making sure we don't
give out any extra information, so if the objection to the message is
simply that "no pg_hba.conf entry" is "counterfactual" when there is an
entry rejecting it, how about:
� "No pg_hba.conf authorizing entry"That's no longer counter-factual, and works for both no entry, and a
rejecting entry...
That works for me.
It needs copy-editing. Maybe
no pg_hba.conf entry allows access for host ... user ...
Actually, on reflection, I'm not sure that these suggestions really do
anything for the "counter-factual" complaint. The case where you'd
normally use an explicit REJECT entry is where you're REJECTing some
limited case in an entry that is before a wider-scope entry that would
accept it. So it doesn't seem entirely accurate to say that there is no
pg_hba.conf entry that would accept the connection. There is one but
it's not the one we chose.
I'm thinking there isn't anything much we can do here without using a
different message wording for a match to a REJECT entry. So it's a
straight-up tradeoff of possible security information leakage against
whether a different wording is really helpful to the admin. Both of
those seem like fairly marginal concerns, really, so I'm having a hard
time deciding which one ought to win. But given that nobody complained
before this, is it worth changing?
regards, tom lane
On Wed, Apr 14, 2010 at 8:19 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
I'm thinking there isn't anything much we can do here without using a
different message wording for a match to a REJECT entry. So it's a
straight-up tradeoff of possible security information leakage against
whether a different wording is really helpful to the admin. Both of
those seem like fairly marginal concerns, really, so I'm having a hard
time deciding which one ought to win. But given that nobody complained
before this, is it worth changing?
What's wrong with something like "connection not permitted" or
"connection not authorized"?
...Robert
Robert Haas <robertmhaas@gmail.com> writes:
What's wrong with something like "connection not permitted" or
"connection not authorized"?
The case that we're trying to cater to with the existing wording is
novice DBAs, who are likely to stare at such a message and not even
realize that pg_hba.conf is what they need to change. Frankly, by
the time anyone is using REJECT entries they are probably advanced
enough to not need much help from the error message; but what you
propose is an absolute lock to increase the number of newbie questions
on the lists by a large factor.
regards, tom lane
Tom Lane wrote:
Robert Haas <robertmhaas@gmail.com> writes:
What's wrong with something like "connection not permitted" or
"connection not authorized"?The case that we're trying to cater to with the existing wording is
novice DBAs, who are likely to stare at such a message and not even
realize that pg_hba.conf is what they need to change. Frankly, by
the time anyone is using REJECT entries they are probably advanced
enough to not need much help from the error message; but what you
propose is an absolute lock to increase the number of newbie questions
on the lists by a large factor.
Agreed. I would rather have an inaccurate error message that mentions
pg_hba.conf than an accurate one that doesn't.
Error messages should always point at a solution, if possible.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
On Wed, Apr 14, 2010 at 8:31 PM, Bruce Momjian <bruce@momjian.us> wrote:
Tom Lane wrote:
Robert Haas <robertmhaas@gmail.com> writes:
What's wrong with something like "connection not permitted" or
"connection not authorized"?The case that we're trying to cater to with the existing wording is
novice DBAs, who are likely to stare at such a message and not even
realize that pg_hba.conf is what they need to change. Frankly, by
the time anyone is using REJECT entries they are probably advanced
enough to not need much help from the error message; but what you
propose is an absolute lock to increase the number of newbie questions
on the lists by a large factor.Agreed. I would rather have an inaccurate error message that mentions
pg_hba.conf than an accurate one that doesn't.Error messages should always point at a solution, if possible.
OK, how about "connection not authorized by pg_hba.conf"?
...Robert
Robert Haas <robertmhaas@gmail.com> writes:
OK, how about "connection not authorized by pg_hba.conf"?
This is still not especially helpful for novice DBAs. We want to point
them in the direction that they need to add an entry to pg_hba.conf,
which is 99% likely to be what's wanted. The current wording provides
that hint; vague statements like the above don't.
regards, tom lane
On Wed, Apr 14, 2010 at 10:21 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Robert Haas <robertmhaas@gmail.com> writes:
OK, how about "connection not authorized by pg_hba.conf"?
This is still not especially helpful for novice DBAs. We want to point
them in the direction that they need to add an entry to pg_hba.conf,
which is 99% likely to be what's wanted. The current wording provides
that hint; vague statements like the above don't.
*scratches head*
So you'd prefer a message that is sometimes flat-out wrong over a
message that is correct but less informative in the common case? I
guess that could be right call, but it's not what I'd pick.
...Robert
