From: | Stef Walter <stef-list(at)memberwebs(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Use "samehost" by default in pg_hba.conf? |
Date: | 2009-10-01 17:56:04 |
Message-ID: | 4AC4ED34.50200@memberwebs.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane wrote:
> Stef Walter <stef-list(at)memberwebs(dot)com> writes:
>> Tom Lane wrote:
>>> Now that the samehost/samenet patch is in, I wonder if it wouldn't be
>>> a good idea to replace this part of the default pg_hba.conf file:
>
>> You're probably not suggesting this, but I would be against a default
>> setting of 'samehost' used with 'trust'.
>
>> Essentially that would be the same as rlogin rsh, where if the user can
>> spoof a TCP connection, he can connect to postgresql. Depending on the
>> platform, an interface may have to be down for this to work.
>
> Is there any actual risk here that we aren't taking already just by
> allowing 127.0.0.1?
Yes, RFC 1122 specifies that 127.0.0.0/8 must not appear outside of a
single host. Checks for this are implemented. For example in FreeBSD:
http://fxr.watson.org/fxr/source/netinet/ip_input.c#L440
http://fxr.watson.org/fxr/search?string=IN_LOOPBACK
Obviously I can't guarantee this for any given OS. However it does seem
like a pretty standard security feature of the IP stack.
In my opinion, adding samehost into the default pg_hba.conf with the
method set to md5 (attached patch) would be both usable and secure.
Cheers,
Stef
Attachment | Content-Type | Size |
---|---|---|
samehost-pghba-default.patch | text/x-diff | 515 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Meskes | 2009-10-01 18:11:32 | Re: CommitFest 2009-09, two weeks on |
Previous Message | Tom Lane | 2009-10-01 17:55:23 | Re: [PATCH] DefaultACLs |