diff options
author | Tom Lane <tgl@sss.pgh.pa.us> | 2010-04-21 03:32:53 +0000 |
---|---|---|
committer | Tom Lane <tgl@sss.pgh.pa.us> | 2010-04-21 03:32:53 +0000 |
commit | a2c3931a244b67115a0eac1ee5fde9eb7cb4e42c (patch) | |
tree | 29ce8f4c20563cde96048a4e562b2456a159aa28 /src/backend/libpq/auth.c | |
parent | a3c6d105752c28dbd19d0558733a2157e6ab55e0 (diff) | |
download | postgresql-a2c3931a244b67115a0eac1ee5fde9eb7cb4e42c.tar.gz postgresql-a2c3931a244b67115a0eac1ee5fde9eb7cb4e42c.zip |
Fix pg_hba.conf matching so that replication connections only match records
with database = replication. The previous coding would allow them to match
ordinary records too, but that seems like a recipe for security breaches.
Improve the messages associated with no-such-pg_hba.conf entry to report
replication connections as such, since that's now a critical aspect of
whether the connection matches. Make some cursory improvements in the related
documentation, too.
Diffstat (limited to 'src/backend/libpq/auth.c')
-rw-r--r-- | src/backend/libpq/auth.c | 105 |
1 files changed, 75 insertions, 30 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index ac26317d264..c4e234186e6 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.199 2010/04/19 19:02:18 sriggs Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.200 2010/04/21 03:32:53 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -36,6 +36,7 @@ #include "libpq/pqformat.h" #include "libpq/md5.h" #include "miscadmin.h" +#include "replication/walsender.h" #include "storage/ipc.h" @@ -250,6 +251,7 @@ auth_failed(Port *port, int status) switch (port->hba->auth_method) { case uaReject: + case uaImplicitReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; case uaKrb5: @@ -363,12 +365,14 @@ ClientAuthentication(Port *port) case uaReject: /* - * An explicit "reject" entry in pg_hba.conf. Take pity on the poor - * user and issue a helpful error message. - * NOTE: this is not a security breach, because all the info - * reported here is known at the frontend and must be assumed - * known to bad guys. We're merely helping out the less clueful - * good guys. + * An explicit "reject" entry in pg_hba.conf. This report exposes + * the fact that there's an explicit reject entry, which is perhaps + * not so desirable from a security standpoint; but the message + * for an implicit reject could confuse the DBA a lot when the + * true situation is a match to an explicit reject. And we don't + * want to change the message for an implicit reject. As noted + * below, the additional information shown here doesn't expose + * anything not known to an attacker. */ { char hostinfo[NI_MAXHOST]; @@ -378,29 +382,50 @@ ClientAuthentication(Port *port) NULL, 0, NI_NUMERICHOST); + if (am_walsender) + { #ifdef USE_SSL - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\", %s", - hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")))); + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", + hostinfo, port->user_name, + port->ssl ? _("SSL on") : _("SSL off")))); #else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, port->database_name))); + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"", + hostinfo, port->user_name))); #endif + } + else + { +#ifdef USE_SSL + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", + hostinfo, port->user_name, + port->database_name, + port->ssl ? _("SSL on") : _("SSL off")))); +#else + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"", + hostinfo, port->user_name, + port->database_name))); +#endif + } break; } case uaImplicitReject: /* - * No matching entry so tell the user we fell through. - * NOTE: this is not a security breach, because all the info - * reported here is known at the frontend and must be assumed - * known to bad guys. We're merely helping out the less clueful - * good guys. + * No matching entry, so tell the user we fell through. + * + * NOTE: the extra info reported here is not a security breach, + * because all that info is known at the frontend and must be + * assumed known to bad guys. We're merely helping out the less + * clueful good guys. */ { char hostinfo[NI_MAXHOST]; @@ -410,18 +435,38 @@ ClientAuthentication(Port *port) NULL, 0, NI_NUMERICHOST); + if (am_walsender) + { #ifdef USE_SSL - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", - hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")))); + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", + hostinfo, port->user_name, + port->ssl ? _("SSL on") : _("SSL off")))); #else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, port->database_name))); + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"", + hostinfo, port->user_name))); +#endif + } + else + { +#ifdef USE_SSL + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", + hostinfo, port->user_name, + port->database_name, + port->ssl ? _("SSL on") : _("SSL off")))); +#else + ereport(FATAL, + (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", + hostinfo, port->user_name, + port->database_name))); #endif + } break; } |