Обсуждение: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)

Поиск
Список
Период
Сортировка

Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)

От
Tom Lane
Дата:
Orion Henry <orion@trustcommerce.com> writes:
> It appears to be faulting on a kerberos call which is odd because I
> don't use kerberos for anything.

I was a bit surprised to realize that if you compile Kerberos support at
all, libpq will try to get a user name from Kerberos in preference to
using getpwuid().  This strikes me as odd and surprising behavior.
There's certainly no security reason for it, since we are only getting
a default user name that can be trivially overridden.

Does anyone see a reason why we shouldn't trust getpwuid to supply the
default username in all cases?  I'm thinking of ripping out
fe_setauthsvc/fe_getauthsvc as well ...
        regards, tom lane

Re: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)

От
Greg Stark
Дата:
Tom Lane <tgl@sss.pgh.pa.us> writes:

> Orion Henry <orion@trustcommerce.com> writes:
> > It appears to be faulting on a kerberos call which is odd because I
> > don't use kerberos for anything.
> 
> I was a bit surprised to realize that if you compile Kerberos support at
> all, libpq will try to get a user name from Kerberos in preference to
> using getpwuid().  This strikes me as odd and surprising behavior.
> There's certainly no security reason for it, since we are only getting
> a default user name that can be trivially overridden.

Harumph. I reported this about a year ago:

http://archives.postgresql.org/pgsql-general/2002-12/msg00740.php

I'm not sure it can be fixed by just not setting the default username though.

In fact I think there's something a little backwards about deciding on a
default username in advance and then trying various authentication methods.

In my case I have a kerberos principal gsstark@ATHENA.MIT.EDU and a local
username of "stark".

It seems like it should try to do the kerberos authentication as username
"gsstark" (or even "gsstark@ATHENA.MIT.EDU" since the realm is significant).
And if that fails, then it should try to log in as "stark" using unix userid
authentication.

The only fear I have with that direction is that it makes things a bit
unpredictable. I could see it being weird having scripts randomly fail because
they logged in as the wrong user if the tickets happened to have expired or
the network goes down.

-- 
greg

Re: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)

От
Tom Lane
Дата:
Greg Stark <gsstark@mit.edu> writes:
> In fact I think there's something a little backwards about deciding on a
> default username in advance and then trying various authentication methods.

Perhaps, but we're stuck with that without a massive (and non backwards
compatible) redesign of the connection protocol.  libpq has to send a
connection-request packet that includes the username before it knows
which auth method will be selected.  There are people around here who
consider it a feature that pg_hba.conf can base the decision which auth
method to use on the supplied username...

> In my case I have a kerberos principal gsstark@ATHENA.MIT.EDU and a local
> username of "stark".

AFAICS libpq doesn't have any very principled way to choose which of
those to use as default username.  But I'd prefer to see it make the
same choice whether it's compiled with kerberos support or not.  The
present behavior doesn't seem to me to satisfy the principle of least
astonishment.

In your situation, if you wanted to log in using kerberos authentication
then you'd probably end up setting PGUSER=gsstark to get the right thing
to happen.
        regards, tom lane