| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | stef(at)memberwebs(dot)com, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Date: | 2009-09-23 21:40:34 |
| Message-ID: | 8225.1253742034@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Tom Lane wrote:
>> In this case what particularly scares me is the idea that 'samenet'
>> might be interpreted to let in a larger subnet than the user expected,
>> eg 10/8 instead of 10.0.0/24. You'd likely not notice the problem until
>> after you'd been broken into ...
> I haven't looked at this "feature" at all, but I'd be inclined, on the
> grounds you quite reasonably cite, to require a netmask with "samenet",
> rather than just ask the interface for its netmask.
I was just thinking the same thing. Could we then unify samehost and
samenet into one thing? sameaddr/24 or something like that, with
samehost just being the limiting case of all bits used. I am not
sure though if this works nicely for IPv6 as well as IPv4.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Mielke | 2009-09-23 21:46:10 | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Previous Message | Andrew Dunstan | 2009-09-23 21:37:01 | Re: pg_hba.conf: samehost and samenet [REVIEW] |