Participants
Bruce Momjian
Bruce Momjian
Oliver Elphick
Oliver Elphick
Attachments
Show all attachments
Thread Outline
#1Oliver ElphickOliver Elphick
Jul 12, 2001
#2Bruce MomjianBruce Momjianto Oliver Elphick (#1)
Jul 12, 2001
#3Bruce MomjianBruce Momjianto Oliver Elphick (#1)
Sep 05, 2001

Re: Re: Debian's PostgreSQL packages

Started by Oliver Elphickalmost 25 years ago3 messageshackersgeneral
Jump to latest
#1Oliver Elphick
Oliver Elphick
olly@lfix.co.uk
hackersgeneral

Bruce Momjian wrote:

I think our current idea is to have people run local ident servers to
handle this. We don't have any OS-specific stuff in pg_hba.conf and I
am not sure if we want to add that complexity. What do others think?

This is not any less "specific" than SSL or Kerberos. Note that opening a
TCP/IP socket already opens a theoretical hole to the world. Unix domain
is much safer.

You can install SSL/Kerberos on any Unix, and many come pre-installed.
You can't add unix-domain socket user authentication to any OS.

I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
a hole:

127 127.0.0.1 UGRS 4352 lo0
127.0.0.1 127.0.0.1 UH 4352 lo0

However, the security issue may make it worthwhile. Which OS's support
user authentication again, and can we test via configure? Maybe we can
strip out the mention in the pg_hba.conf file if it is not supported on
that OS.

The security issue is why I developed it. There were complaints from people
who did not want to have identd running at all.

I think the feature is available in Linux, Solaris and some BSD. It can be
tested for by whether SO_PEERCRED is defined in sys/socket.h.

I don't see the need to strip mention from the comments in pg_hba.conf. The
situation is no different from those systems which do not have Kerberos or
SSL available.

--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"I waited patiently for the LORD; and he inclined unto
me, and heard my cry. He brought me up also out of an
horrible pit, out of the miry clay, and set my feet
upon a rock, and established my goings. And he hath
put a new song in my mouth, even praise unto our God.
Many shall see it, and fear, and shall trust in the
LORD." Psalms 40:1-3

Import Notes
Reply to msg id not found: MessagefromBruceMomjianpgman@candle.pha.pa.usofWed11Jul2001195237EDT.200107112352.f6BNqbc06810@candle.pha.pa.us
#2Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Oliver Elphick (#1)
hackersgeneral
Re: [GENERAL] Re: Debian's PostgreSQL packages

The security issue is why I developed it. There were complaints from people
who did not want to have identd running at all.

I think the feature is available in Linux, Solaris and some BSD. It can be
tested for by whether SO_PEERCRED is defined in sys/socket.h.

Yes, I see something similar in BSD/OS. Manual page attached.

I don't see the need to strip mention from the comments in pg_hba.conf. The
situation is no different from those systems which do not have Kerberos or
SSL available.

Yea, I guess.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Attachments:

/bjm/recvfromtext/plainDownload
#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Oliver Elphick (#1)
hackersgeneral
Re: [GENERAL] Re: Debian's PostgreSQL packages

Funny, I found this going through my mailbox. Seems I was going to
return to this SO_PEERCRED anyway.

Bruce Momjian wrote:

I think our current idea is to have people run local ident servers to
handle this. We don't have any OS-specific stuff in pg_hba.conf and I
am not sure if we want to add that complexity. What do others think?

This is not any less "specific" than SSL or Kerberos. Note that opening a
TCP/IP socket already opens a theoretical hole to the world. Unix domain
is much safer.

You can install SSL/Kerberos on any Unix, and many come pre-installed.
You can't add unix-domain socket user authentication to any OS.

I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
a hole:

127 127.0.0.1 UGRS 4352 lo0
127.0.0.1 127.0.0.1 UH 4352 lo0

However, the security issue may make it worthwhile. Which OS's support
user authentication again, and can we test via configure? Maybe we can
strip out the mention in the pg_hba.conf file if it is not supported on
that OS.

The security issue is why I developed it. There were complaints from people
who did not want to have identd running at all.

I think the feature is available in Linux, Solaris and some BSD. It can be
tested for by whether SO_PEERCRED is defined in sys/socket.h.

I don't see the need to strip mention from the comments in pg_hba.conf. The
situation is no different from those systems which do not have Kerberos or
SSL available.

--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"I waited patiently for the LORD; and he inclined unto
me, and heard my cry. He brought me up also out of an
horrible pit, out of the miry clay, and set my feet
upon a rock, and established my goings. And he hath
put a new song in my mouth, even praise unto our God.
Many shall see it, and fear, and shall trust in the
LORD." Psalms 40:1-3

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
← Back to Topics