Обсуждение: BUG #1001: Inconsistent authentication between psql and PQconnectdb - possible security implications?
BUG #1001: Inconsistent authentication between psql and PQconnectdb - possible security implications?
От
"PostgreSQL Bugs List"
Дата:
The following bug has been logged online: Bug reference: 1001 Logged by: Alan W. Irwin Email address: irwin@beluga.phys.uvic.ca PostgreSQL version: 7.4 Operating system: Debian stable (Linux) Description: Inconsistent authentication between psql and PQconnectdb - possible security implications? Details: I use "ident sameuser" authentication. Here are the relevant details from pg_hba.conf. local all all ident sameuser host all all 127.0.0.1 255.255.255.255 ident sameuser host all all 0.0.0.0 0.0.0.0 reject All is well with psql authentication. However, when I tried to use knoda/hk_classes to access the database, I could not get authenticated. A typical error message was IDENT authenticationfailed for user "irwin". When I traced this down through the hk_classes code it was using PQconnectdb to connnectto the database, and there were complaints in the postgresql log that the identd server was not available. All knoda/hk_classes/PQconnectdbproblems disappeared when I installed identd (apt-get install pidentd) on my Debian stable system. So all seems well when identd is installed, but there may be a security concern with psql when it is not. On theother hand, if psql is actually secure when identd is not running, then why isn't PQconnectdb using the exact same (secure)method of authentication for this case? Note, this authentication inconsistency between psql and PQconnectdb in the absence of an identd server occurs both fora postgresql-7.4 version that I built and installed myself and also for the Debian stable version (7.2.1-2woody4) of postgresql.
On Fri, 5 Dec 2003, PostgreSQL Bugs List wrote: > I use "ident sameuser" authentication. Here are the relevant details from pg_hba.conf. > > local all all ident sameuser > host all all 127.0.0.1 255.255.255.255 ident sameuser > host all all 0.0.0.0 0.0.0.0 reject > > All is well with psql authentication. However, when I tried to > use knoda/hk_classes to access the database, I could not get > authenticated. A typical error message was IDENT authentication failed > for user "irwin". When I traced this down through the hk_classes code > it was using PQconnectdb to connnect to the database, and there were > complaints in the postgresql log that the identd server was not > available. All knoda/hk_classes/PQconnectdb problems disappeared when I > installed identd (apt-get install pidentd) on my Debian stable system. > So all seems well when identd is installed, but there may be a security > concern with psql when it is not. On the other hand, if psql is > actually secure when identd is not running, then why isn't PQconnectdb > using the exact same (secure) method of authentication for this case? My first guess is that knoda/hk_classes was going to 127.0.0.1 and psql was going through the local socket. local/ident is different from host/ident (see the section on ident authentication), the latter requires an ident server, the former does not.
On Fri, Dec 05, 2003 at 12:47:58 -0400, PostgreSQL Bugs List <pgsql-bugs@postgresql.org> wrote: > > All is well with psql authentication. However, when I tried to > use knoda/hk_classes to access the database, I could not get authenticated. A typical error message was IDENT authenticationfailed for user "irwin". When I traced this down through the hk_classes code it was using PQconnectdb to connnectto the database, and there were complaints in the postgresql log that the identd server was not available. All knoda/hk_classes/PQconnectdbproblems disappeared when I installed identd (apt-get install pidentd) on my Debian stable system. So all seems well when identd is installed, but there may be a security concern with psql when it is not. On theother hand, if psql is actually secure when identd is not running, then why isn't PQconnectdb using the exact same (secure)method of authentication for this case? When connecting using domain sockets the local equivalent of getpeeruid is used to determine which user is connecting rather than by asking an ident server. When you use a network socket, then the user is checked by asking the ident server at the same IP address as the connection is coming from.