NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit63d8350

committed

Don't set PAM_RHOST for Unix sockets.

Since commit2f1d2b7 we have set PAM_RHOST to "[local]" for Unixsockets. This caused Linux PAM's libaudit integration to make DNSrequests for that name. It's not exactly clear what value PAM_RHOSTshould have in that case, but it seems clear that we shouldn't set itto an unresolvable name, so don't do that.Back-patch to 9.6. Bug #15520.Author: Thomas MunroReviewed-by: Peter EisentrautReported-by: Albert SchabhuetlDiscussion:https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org

1 parentb86d148 commit63d8350Copy full SHA for 63d8350

File tree

1 file changed

+30

-20

lines changed

src/backend/libpq
- auth.c

1 file changed

+30

-20

lines changed

`‎src/backend/libpq/auth.c`

Lines changed: 30 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -1893,18 +1893,6 @@ CheckPAMAuth(Port port, char user, char *password)`
`1893`	`1893`	`{`
`1894`	`1894`	`intretval;`
`1895`	`1895`	`pam_handle_t*pamh=NULL;`
`1896`		`-charhostinfo[NI_MAXHOST];`
`1897`		`-`
`1898`		`-retval=pg_getnameinfo_all(&port->raddr.addr,port->raddr.salen,`
`1899`		`-hostinfo,sizeof(hostinfo),NULL,0,`
`1900`		`-port->hba->pam_use_hostname ?0 :NI_NUMERICHOST \|NI_NUMERICSERV);`
`1901`		`-if (retval!=0)`
`1902`		`-{`
`1903`		`-ereport(WARNING,`
`1904`		`-(errmsg_internal("pg_getnameinfo_all() failed: %s",`
`1905`		`-gai_strerror(retval))));`
`1906`		`-returnSTATUS_ERROR;`
`1907`		`-}`
`1908`	`1896`
`1909`	`1897`	`/*`
`1910`	`1898`	`* We can't entirely rely on PAM to pass through appdata --- it appears`
`@@ -1950,15 +1938,37 @@ CheckPAMAuth(Port port, char user, char *password)`
`1950`	`1938`	`returnSTATUS_ERROR;`
`1951`	`1939`	`}`
`1952`	`1940`
`1953`		`-retval=pam_set_item(pamh,PAM_RHOST,hostinfo);`
`1954`		`-`
`1955`		`-if (retval!=PAM_SUCCESS)`
	`1941`	`+if (port->hba->conntype!=ctLocal)`
`1956`	`1942`	`{`
`1957`		`-ereport(LOG,`
`1958`		`-(errmsg("pam_set_item(PAM_RHOST) failed: %s",`
`1959`		`-pam_strerror(pamh,retval))));`
`1960`		`-pam_passwd=NULL;`
`1961`		`-returnSTATUS_ERROR;`
	`1943`	`+charhostinfo[NI_MAXHOST];`
	`1944`	`+intflags;`
	`1945`	`+`
	`1946`	`+if (port->hba->pam_use_hostname)`
	`1947`	`+flags=0;`
	`1948`	`+else`
	`1949`	`+flags=NI_NUMERICHOST \|NI_NUMERICSERV;`
	`1950`	`+`
	`1951`	`+retval=pg_getnameinfo_all(&port->raddr.addr,port->raddr.salen,`
	`1952`	`+hostinfo,sizeof(hostinfo),NULL,0,`
	`1953`	`+flags);`
	`1954`	`+if (retval!=0)`
	`1955`	`+{`
	`1956`	`+ereport(WARNING,`
	`1957`	`+(errmsg_internal("pg_getnameinfo_all() failed: %s",`
	`1958`	`+gai_strerror(retval))));`
	`1959`	`+returnSTATUS_ERROR;`
	`1960`	`+}`
	`1961`	`+`
	`1962`	`+retval=pam_set_item(pamh,PAM_RHOST,hostinfo);`
	`1963`	`+`
	`1964`	`+if (retval!=PAM_SUCCESS)`
	`1965`	`+{`
	`1966`	`+ereport(LOG,`
	`1967`	`+(errmsg("pam_set_item(PAM_RHOST) failed: %s",`
	`1968`	`+pam_strerror(pamh,retval))));`
	`1969`	`+pam_passwd=NULL;`
	`1970`	`+returnSTATUS_ERROR;`
	`1971`	`+}`
`1962`	`1972`	`}`
`1963`	`1973`
`1964`	`1974`	`retval=pam_set_item(pamh,PAM_CONV,&pam_passw_conv);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit63d8350

File tree

1 file changed

1 file changed

`‎src/backend/libpq/auth.c`

0 commit comments