Re: pg_hba.conf editing question

2014-07-20 23:15 GMT+02:00 Scott Furry <scott(dot)wl(dot)furry(at)gmail(dot)com>:

>
> On 20/07/14 02:45 PM, Guillaume Lelarge wrote:
>
>> 2014-07-19 18:11 GMT+02:00 Scott Furry <scott(dot)wl(dot)furry(at)gmail(dot)com <mailto:
>> scott(dot)wl(dot)furry(at)gmail(dot)com>>:
>>
>>
>> I am working with the pgAdmin git source and I am having trouble
>> understanding the adminpack functions being used.
>>
>> In the file pgadmin/frm/frmHbaConfig.cpp, the pg_hba.conf edit
>> form constructor appears to get the absolute path to the
>> configuration file and stores this value in "serverFileName"
>> ("SHOW hba_file"). The value is then used to few lines down in a
>> call to "SELECT pg_file_read(...)".
>>
>> Net Search suggests that pg_file_read can be used to access files
>> in the pg data/log directories only. Experimenting on my
>> localhost, any attempt to use a "../" or and absolute path results
>> in an error.
>>
>> What I'm having a problem understanding is how the pg_file_read
>> function can work in this context. I can access files in the data
>> directory nicely, but emulating the queries being used in the
>> pgAdmin code will not work. What magic was built into the code to
>> get around the absolute path security?
>>
>>
>> No magic. pg_file_read() calls pg_read_file. Here is the main comment of
>> this function:
>>
>> /*¬
>> * Convert a "text" filename argument to C string, and check it's
>> allowable.¬
>> *¬
>> * Filename may be absolute or relative to the DataDir, but we only allow¬
>> * absolute paths that match DataDir or Log_directory.¬
>> */¬
>>
>> So the path may be absolute but, in such a case, it must contain the data
>> directory.
>>
> What about the case of a linux-base system. There was another message on
> the pgAdmin list mentioning that pg_file_read did not work on Debian. I
> used pgAdmin on a Windows system to edit the pg_hba.conf file. No problems,
> but emulating that behaviour on linux systems by entering the SQL commands
> fails.
>
> I'm using the postgres account and the "SELECT pg_file_read" command fails
> if I try to take into account the data directory.
> Using:
> SELECT * from pg_read_file('../../../../../etc/postgresql/9.3/main/pg_
> hba.conf');
> will return the error:
> ERROR: path must be in or below the current directory
>
> Yet this sequence of commands works for pgAdmin?

I'm pretty sure it doesn't.

> This is why I'm asking here if there was some special setup made when
> calling the config file editing.
>
>
Nope, no special setup.

--
Guillaume.
http://blog.guillaume.lelarge.info
http://www.dalibo.com