Re: pg_hba.conf: samehost and samenet [REVIEW]

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, stef(at)memberwebs(dot)com, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Date: 2009-09-23 21:46:10
Message-ID: 4ABA9722.5020609@mark.mielke.cc
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 09/23/2009 05:37 PM, Andrew Dunstan wrote:
> Tom Lane wrote:
>> In this case what particularly scares me is the idea that 'samenet'
>> might be interpreted to let in a larger subnet than the user expected,
>> eg 10/8 instead of 10.0.0/24. You'd likely not notice the problem until
>> after you'd been broken into ...
>>
>
> I haven't looked at this "feature" at all, but I'd be inclined, on the
> grounds you quite reasonably cite, to require a netmask with
> "samenet", rather than just ask the interface for its netmask.

I think requiring a netmask defeats some of the value of samenet. When
being assigned a new address can change subnet as well. For example,
when we moved one of our machines from one room to another it went from
/24 to /26.

I think it should be understood that the network will not work properly
if the user has the wrong network configuration. If they accidentally
use /8 instead of /24 on their interface - it's more likely that some or
all of their network will become inaccessible, than somebody breaking
into their machine. And, anything is better than 0.0.0.0.

There are two questions here I think - one is whether or not samenet is
valid and would provide value, which I think it is and it does. A second
question is whether it should be enabled in the default pg_hba.conf - I
think not.

Postfix has this capability and it works fine. I use it to allow relay
email from machines I "trust", because they are on my network. I think
many people would use it, and it would be the right solution for many
problems. Worrying about how some person somewhere might screw up, when
they have the same opportunity to screw up if things are left unchanged
(0.0.0.0) is not a practical way of looking at things.

How many Postfix servers have you heard of being open relays as a result
of "samenet"? I haven't heard of it ever happening. I suppose it doesn't
mean it hasn't happened - but I think getting the network interface
configured properly being a necessity for the machine working properly
is a very good encouragement for it to work.

Cheers,
mark

--
Mark Mielke<mark(at)mielke(dot)cc>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2009-09-23 21:48:52 Re: pg_hba.conf: samehost and samenet [REVIEW]
Previous Message Tom Lane 2009-09-23 21:40:34 Re: pg_hba.conf: samehost and samenet [REVIEW]