Participants
Thomas Guettler
Thomas Guettler
Tom Lane
Tom Lane
Terje Elde
Terje Elde
Magnus Hagander
Magnus Hagander
Attachments
Show all attachments
Thread Outline
#1...#2
Thomas GuettlerTom Lane
Aug 08, 2013
#1Thomas GuettlerThomas Guettler
Aug 08, 2013
#2Tom LaneTom Laneto Thomas Guettler (#1)
Aug 08, 2013
#3Terje EldeTerje Eldeto Tom Lane (#2)
Aug 08, 2013
#4Magnus HaganderMagnus Haganderto Tom Lane (#2)
Aug 12, 2013

BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

Started by Thomas Guettlerover 12 years ago4 messagesbugs
Jump to latest
#1Thomas Guettler
Thomas Guettler
hv@tbz-pariv.de

The following bug has been logged on the website:

Bug reference: 8375
Logged by: Thomas Güttler
Email address: hv@tbz-pariv.de
PostgreSQL version: 9.2.4
Operating system: Linux
Description:

For easier deployment it would be nice to have an include_dir directive in
pg_hba.conf.

Related:
http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2a0c81a12c7e6c5ac1557b0f1f4a581f23fd4ca7

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Thomas Guettler (#1)
Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

hv@tbz-pariv.de writes:

For easier deployment it would be nice to have an include_dir directive in
pg_hba.conf.

This doesn't seem like a remarkably good idea from here, mainly because
entries in pg_hba.conf are critically order-dependent.  Dropping random
entries into a conf.d-like directory could produce unexpected results
--- and in this case, "unexpected result" probably means "security
failure".

regards, tom lane

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

#3Terje Elde
Terje Elde
terje@elde.net
In reply to: Tom Lane (#2)
Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

On 8. aug. 2013, at 14:39, Tom Lane <tgl@sss.pgh.pa.us> wrote:

This doesn't seem like a remarkably good idea from here, mainly because
entries in pg_hba.conf are critically order-dependent.  Dropping random
entries into a conf.d-like directory could produce unexpected results
--- and in this case, "unexpected result" probably means "security
failure".

Don't mean to spark or fuel any major discussion on this, but other than seconding that, I'd like to add in that if you need anything that advanced, chances are that you should either look at simplifying (wildcard usernames, etc), look at other authentication-systems (PAM), or set up a build-sytem for pg_hba.

Terje

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

#4Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: Tom Lane (#2)
Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

On Thu, Aug 8, 2013 at 2:39 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

hv@tbz-pariv.de writes:

For easier deployment it would be nice to have an include_dir directive in
pg_hba.conf.

This doesn't seem like a remarkably good idea from here, mainly because
entries in pg_hba.conf are critically order-dependent.  Dropping random
entries into a conf.d-like directory could produce unexpected results
--- and in this case, "unexpected result" probably means "security
failure".

If they are random, yes. You could easliy define them as ordered
though, by strict alphabetical ordering etc.

It's still a pretty decently sized footgun for people though, and I'm
not sure how useful it would actually be. And with the risk of
misconfiguration being a security hole rather than a badly configured
database (which would be the problem with a simliar thing for
postgresql.conf).

Perhaps the OP has a specific usecase to share where this would
actually be both safe and useful?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

← Back to Topics