Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite7029b2

Browse files
committed
>I got a new idea on this. I think we should add an initdb option that
>takes a string to specify the local authentication method:>> initdb --auth 'ident'>>or whatever the user wants. I think this is more flexible and more>compact. It would default to 'trust', and the packagers could>set it to>whatever they want. If their OS supports local ident, they can use>that.>>Also keep in mind you might want some ident map file:>> initdb --auth 'ident mymap'>>so you would need to allow multiple words in the string.Magnus Hagander
1 parent9d623ed commite7029b2

File tree

2 files changed

+73
-12
lines changed

2 files changed

+73
-12
lines changed

‎src/backend/libpq/pg_hba.conf.sample

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -48,20 +48,16 @@
4848
# Put your actual configuration here
4949
# ----------------------------------
5050
#
51-
# CAUTION: The default configuration allows any local user to connect
52-
# using any PostgreSQL user name, including the superuser, over either
53-
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
54-
# machine, the default configuration is probably too liberal for you.
55-
# Change it to use something other than "trust" authentication.
56-
#
5751
# If you want to allow non-local connections, you need to add more
5852
# "host" records. Also, remember TCP/IP connections are only enabled
5953
# if you enable "tcpip_socket" in postgresql.conf.
6054

55+
@authcomment@
56+
6157
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
6258

63-
local all alltrust
59+
local all all@authmethod@
6460
# IPv4-style local connections:
65-
host all all 127.0.0.1 255.255.255.255trust
61+
host all all 127.0.0.1 255.255.255.255@authmethod@
6662
# IPv6-style local connections:
67-
host all all ::1/128trust
63+
host all all ::1/128@authmethod@

‎src/bin/initdb/initdb.c

Lines changed: 68 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939
* Portions Copyright (c) 1994, Regents of the University of California
4040
* Portions taken from FreeBSD.
4141
*
42-
* $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.44 2004/07/19 02:47:12 tgl Exp $
42+
* $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.45 2004/08/01 05:59:13 momjian Exp $
4343
*
4444
*-------------------------------------------------------------------------
4545
*/
@@ -88,6 +88,7 @@ char *lc_messages = "";
8888
char*username="";
8989
boolpwprompt= false;
9090
char*pwfilename=NULL;
91+
char*authmethod="";
9192
booldebug= false;
9293
boolnoclean= false;
9394
boolshow_setting= false;
@@ -118,6 +119,16 @@ booloutput_failed = false;
118119
intn_connections=10;
119120
intn_buffers=50;
120121

122+
/*
123+
* Warning messages for authentication methods
124+
*/
125+
char*authtrust_warning=\
126+
"# CAUTION: Configuring the system for local \"trust\" authentication allows\n"
127+
"# any local user to connect as any PostgreSQL user, including the database\n"
128+
"# superuser. If you do not trust all your local users, use another\n"
129+
"# authenication method.\n";
130+
char*authwarning=NULL;
131+
121132
/*
122133
* Centralized knowledge of switches to pass to backend
123134
*
@@ -1114,7 +1125,16 @@ setup_config(void)
11141125
"host all all ::1",
11151126
"#host all all ::1");
11161127
#endif
1117-
1128+
1129+
/* Replace default authentication methods */
1130+
conflines=replace_token(conflines,
1131+
"@authmethod@",
1132+
authmethod);
1133+
1134+
conflines=replace_token(conflines,
1135+
"@authcomment@",
1136+
strcmp(authmethod,"trust") ?"" :authtrust_warning);
1137+
11181138
snprintf(path,sizeof(path),"%s/pg_hba.conf",pg_data);
11191139

11201140
writefile(path,conflines);
@@ -1971,6 +1991,7 @@ usage(const char *progname)
19711991
" in the respective category (default taken from\n"
19721992
" environment)\n"));
19731993
printf(_(" --no-locale equivalent to --locale=C\n"));
1994+
printf(_(" -A, --auth=method default authentication method for local connections\n"));
19741995
printf(_(" -U, --username=NAME database superuser name\n"));
19751996
printf(_(" -W, --pwprompt prompt for a password for the new superuser\n"));
19761997
printf(_(" --pwfile=filename read password for the new superuser from file\n"));
@@ -2004,6 +2025,7 @@ main(int argc, char *argv[])
20042025
{"lc-time",required_argument,NULL,6},
20052026
{"lc-messages",required_argument,NULL,7},
20062027
{"no-locale",no_argument,NULL,8},
2028+
{"auth",required_argument,NULL,'A'},
20072029
{"pwprompt",no_argument,NULL,'W'},
20082030
{"pwfile",required_argument,NULL,9},
20092031
{"username",required_argument,NULL,'U'},
@@ -2052,10 +2074,13 @@ main(int argc, char *argv[])
20522074

20532075
/* process command-line options */
20542076

2055-
while ((c=getopt_long(argc,argv,"dD:E:L:nU:W",long_options,&option_index))!=-1)
2077+
while ((c=getopt_long(argc,argv,"dD:E:L:nU:WA:",long_options,&option_index))!=-1)
20562078
{
20572079
switch (c)
20582080
{
2081+
case'A':
2082+
authmethod=xstrdup(optarg);
2083+
break;
20592084
case'D':
20602085
pg_data=xstrdup(optarg);
20612086
break;
@@ -2136,6 +2161,43 @@ main(int argc, char *argv[])
21362161
fprintf(stderr,_("%s: you cannot specify both password prompt and password file\n"),progname);
21372162
exit(1);
21382163
}
2164+
2165+
if (authmethod==NULL|| !strlen(authmethod))
2166+
{
2167+
authwarning=_("\nWARNING: enabling \"trust\" authentication for local connections.\n"
2168+
"You can change this by editing pg_hba.conf or using the -A flag the\n"
2169+
"next time you run initdb.\n");
2170+
authmethod="trust";
2171+
}
2172+
2173+
if (strcmp(authmethod,"md5")&&
2174+
strcmp(authmethod,"ident")&&
2175+
strncmp(authmethod,"ident ",6)&&/* ident with space = param */
2176+
strcmp(authmethod,"trust")&&
2177+
#ifdefUSE_PAM
2178+
strcmp(authmethod,"pam")&&
2179+
strncmp(authmethod,"pam ",4)&&/* pam with space = param */
2180+
#endif
2181+
strcmp(authmethod,"crypt")&&
2182+
strcmp(authmethod,"password")
2183+
)
2184+
/*
2185+
*Kerberos methods not listed because they are not supported
2186+
* over local connections and are rejected in hba.c
2187+
*/
2188+
{
2189+
fprintf(stderr,_("%s: unknown authentication method \"%s\".\n"),progname,authmethod);
2190+
exit(1);
2191+
}
2192+
2193+
if ((!strcmp(authmethod,"md5")||
2194+
!strcmp(authmethod,"crypt")||
2195+
!strcmp(authmethod,"password"))&&
2196+
!(pwprompt||pwfilename))
2197+
{
2198+
fprintf(stderr,_("%s: you need to specify a password for the superuser to enable %s authentication.\n"),progname,authmethod);
2199+
exit(1);
2200+
}
21392201

21402202
if (strlen(pg_data)==0)
21412203
{
@@ -2449,6 +2511,9 @@ main(int argc, char *argv[])
24492511

24502512
make_template0();
24512513

2514+
if (authwarning!=NULL)
2515+
fprintf(stderr,authwarning);
2516+
24522517
printf(_("\nSuccess. You can now start the database server using:\n\n"
24532518
" %s%s%s/postmaster -D %s%s%s\n"
24542519
"or\n"

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp