Bug #890: only one user per process in libpq with krb5 auth
Ed Schaller (schallee@darkmist.net) reports a bug with a severity of 2
The lower the number the more severe it is.
Short Description
only one user per process in libpq with krb5 auth
Long Description
Most of the kerberos authentication information used to authenticate a connection to the server with libpq is stored in global variables. This has the result that only one user&passwd can be used per process.
Although this doesn't seem like a big issue on the surface, it makes things like mod_perl/mod_php + mod_auth_kerb mostly useless unless you only have one user. It also can lead to some very odd bugs.
I'm afraid I didn't follow this through like I should as this was origionally discussed on pgsql-intefaces last May. The patch from them still applies fine though.
Sample Code
The patch can be found at:
http://www.darkmist.net/~schallee/tmp/pgsql-libpq-kerb.patch
The authentication code in libpq is rather cludgy in general and this patch doesn't help the situation. If I get board I may try to rewrite it.
No file was uploaded with this report
Is this ready to be applied. It looks fine to me. I want to remove the
part of the patch that keeps the old structure definitions at the top,
but other than that, it looks good. Is there something that needs
improving about it?
---------------------------------------------------------------------------
pgsql-bugs@postgresql.org wrote:
Ed Schaller (schallee@darkmist.net) reports a bug with a severity of 2
The lower the number the more severe it is.Short Description
only one user per process in libpq with krb5 authLong Description
Most of the kerberos authentication information used to authenticate a connection to the server with libpq is stored in global variables. This has the result that only one user&passwd can be used per process.Although this doesn't seem like a big issue on the surface, it makes things like mod_perl/mod_php + mod_auth_kerb mostly useless unless you only have one user. It also can lead to some very odd bugs.
I'm afraid I didn't follow this through like I should as this was origionally discussed on pgsql-intefaces last May. The patch from them still applies fine though.
Sample Code
The patch can be found at:http://www.darkmist.net/~schallee/tmp/pgsql-libpq-kerb.patch
The authentication code in libpq is rather cludgy in general and this patch doesn't help the situation. If I get board I may try to rewrite it.
No file was uploaded with this report
---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Is this ready to be applied. It looks fine to me. I want to remove the
part of the patch that keeps the old structure definitions at the top,
but other than that, it looks good. Is there something that needs
improving about it?
I've been working with it a little and it appears that something as
canged and it will need to be redone. I'm fairly busy, but I'll try to
take a look at it this week as this makes some of my systems inoperable.
------>
--
+-------------+-----------------------+---------------+
| Ed Schaller | Dark Mist Networking | psuedoshroom |
+-------------+-----------------------+---------------+OK, please let me know. Thanks.
---------------------------------------------------------------------------
Ed Schaller wrote:
-- Start of PGP signed section.
Is this ready to be applied. It looks fine to me. I want to remove the
part of the patch that keeps the old structure definitions at the top,
but other than that, it looks good. Is there something that needs
improving about it?I've been working with it a little and it appears that something as
canged and it will need to be redone. I'm fairly busy, but I'll try to
take a look at it this week as this makes some of my systems inoperable.------>
--
+-------------+-----------------------+---------------+ | Ed Schaller | Dark Mist Networking | psuedoshroom | +-------------+-----------------------+---------------+
-- End of PGP section, PGP failed!
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073OK, please let me know. Thanks.
I haven't taken the time to check the current state of the
authentication code and am relying on my old work on it. Would it be
worth me taking the time to try to rework it in a better manner?
------>
--
+-------------+-----------------------+---------------+
| Ed Schaller | Dark Mist Networking | psuedoshroom |
+-------------+-----------------------+---------------+I don't think any of that has changed, if that is what you are asking.
---------------------------------------------------------------------------
Ed Schaller wrote:
-- Start of PGP signed section.
OK, please let me know. Thanks.
I haven't taken the time to check the current state of the
authentication code and am relying on my old work on it. Would it be
worth me taking the time to try to rework it in a better manner?------>
--
+-------------+-----------------------+---------------+ | Ed Schaller | Dark Mist Networking | psuedoshroom | +-------------+-----------------------+---------------+
-- End of PGP section, PGP failed!
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073