NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit861e967

committed

Fix up usage of krb_server_keyfile GUC parameter.

secure_open_gssapi() installed the krb_server_keyfile setting asKRB5_KTNAME unconditionally, so long as it's not empty. However,pg_GSS_recvauth() only installed it if KRB5_KTNAME wasn't set already,leading to a troubling inconsistency: in theory, clients could seedifferent sets of server principal names depending on whether theyuse GSSAPI encryption. Always using krb_server_keyfile seems likethe right thing, so make both places do that. Also fix upsecure_open_gssapi()'s lack of a check for setenv() failure ---it's unlikely, surely, but security-critical actions are no placeto be sloppy.Also improve the associated documentation.This patch does nothing about secure_open_gssapi()'s use of setenv(),and indeed causes pg_GSS_recvauth() to use it too. That's nominallyagainst project portability rules, but since this code is only builtwith --with-gssapi, I do not feel a need to do something about thisin the back branches. A fix will be forthcoming for HEAD though.Back-patch to v12 where GSSAPI encryption was introduced. Thedubious behavior in pg_GSS_recvauth() goes back further, but itdidn't have anything to be inconsistent with, so let it be.Discussion:https://postgr.es/m/2187460.1609263156@sss.pgh.pa.us

1 parent2392136 commit861e967Copy full SHA for 861e967

File tree

5 files changed

+31

-32

lines changed

doc/src/sgml
- client-auth.sgml
- config.sgml
src/backend
- libpq
  - auth.c
  - be-secure-gssapi.c
- utils/misc
  - postgresql.conf.sample

5 files changed

+31

-32

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 1 addition & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1262,11 +1262,7 @@ omicron bryanh guest1`
`1262`	`1262`
`1263`	`1263`	`<para>`
`1264`	`1264`	`The location of the server's keytab file is specified by the <xref`
`1265`		`- linkend="guc-krb-server-keyfile"/> configuration`
`1266`		`- parameter. The default is`
`1267`		`- <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename>`
`1268`		`- (where the directory part is whatever was specified`
`1269`		`- as <varname>sysconfdir</varname> at build time).`
	`1265`	`+ linkend="guc-krb-server-keyfile"/> configuration parameter.`
`1270`	`1266`	`For security reasons, it is recommended to use a separate keytab`
`1271`	`1267`	`just for the <productname>PostgreSQL</productname> server rather`
`1272`	`1268`	`than allowing the server to read the system keytab file.`

`‎doc/src/sgml/config.sgml`

Lines changed: 9 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1035,10 +1035,16 @@ include_dir 'conf.d'`
`1035`	`1035`	`</term>`
`1036`	`1036`	`<listitem>`
`1037`	`1037`	`<para>`
`1038`		`- Sets the location of the Kerberos server key file. See`
`1039`		`- <xref linkend="gssapi-auth"/>`
`1040`		`- for details. This parameter can only be set in the`
	`1038`	`+ Sets the location of the server's Kerberos key file. The default is`
	`1039`	`+ <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename>`
	`1040`	`+ (where the directory part is whatever was specified`
	`1041`	`+ as <varname>sysconfdir</varname> at build time; use`
	`1042`	`+ <literal>pg_config --sysconfdir</literal> to determine that).`
	`1043`	`+ If this parameter is set to an empty string, it is ignored and a`
	`1044`	`+ system-dependent default is used.`
	`1045`	`+ This parameter can only be set in the`
`1041`	`1046`	`<filename>postgresql.conf</filename> file or on the server command line.`
	`1047`	`+ See <xref linkend="gssapi-auth"/> for more information.`
`1042`	`1048`	`</para>`
`1043`	`1049`	`</listitem>`
`1044`	`1050`	`</varlistentry>`

`‎src/backend/libpq/auth.c`

Lines changed: 10 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -1054,29 +1054,18 @@ pg_GSS_recvauth(Port *port)`
`1054`	`1054`	`(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),`
`1055`	`1055`	`errmsg("GSSAPI is not supported in protocol version 2")));`
`1056`	`1056`
`1057`		`-if (pg_krb_server_keyfile&&strlen(pg_krb_server_keyfile)>0)`
	`1057`	`+/*`
	`1058`	`+ * Use the configured keytab, if there is one. Unfortunately, Heimdal`
	`1059`	`+ * doesn't support the cred store extensions, so use the env var.`
	`1060`	`+ */`
	`1061`	`+if (pg_krb_server_keyfile!=NULL&&pg_krb_server_keyfile[0]!='\0')`
`1058`	`1062`	`{`
`1059`		`-/*`
`1060`		`- * Set default Kerberos keytab file for the Krb5 mechanism.`
`1061`		`- *`
`1062`		`- * setenv("KRB5_KTNAME", pg_krb_server_keyfile, 0); except setenv()`
`1063`		`- * not always available.`
`1064`		`- */`
`1065`		`-if (getenv("KRB5_KTNAME")==NULL)`
	`1063`	`+if (setenv("KRB5_KTNAME",pg_krb_server_keyfile,1)!=0)`
`1066`	`1064`	`{`
`1067`		`-size_tkt_len=strlen(pg_krb_server_keyfile)+14;`
`1068`		`-char*kt_path=malloc(kt_len);`
`1069`		`-`
`1070`		`-if (!kt_path\|\|`
`1071`		`-snprintf(kt_path,kt_len,"KRB5_KTNAME=%s",`
`1072`		`-pg_krb_server_keyfile)!=kt_len-2\|\|`
`1073`		`-putenv(kt_path)!=0)`
`1074`		`-{`
`1075`		`-ereport(LOG,`
`1076`		`-(errcode(ERRCODE_OUT_OF_MEMORY),`
`1077`		`-errmsg("out of memory")));`
`1078`		`-returnSTATUS_ERROR;`
`1079`		`-}`
	`1065`	`+/* The only likely failure cause is OOM, so use that errcode */`
	`1066`	`+ereport(FATAL,`
	`1067`	`+(errcode(ERRCODE_OUT_OF_MEMORY),`
	`1068`	`+errmsg("could not set environment: %m")));`
`1080`	`1069`	`}`
`1081`	`1070`	`}`
`1082`	`1071`

`‎src/backend/libpq/be-secure-gssapi.c`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -525,8 +525,16 @@ secure_open_gssapi(Port *port)`
`525`	`525`	`* Use the configured keytab, if there is one. Unfortunately, Heimdal`
`526`	`526`	`* doesn't support the cred store extensions, so use the env var.`
`527`	`527`	`*/`
`528`		`-if (pg_krb_server_keyfile!=NULL&&strlen(pg_krb_server_keyfile)>0)`
`529`		`-setenv("KRB5_KTNAME",pg_krb_server_keyfile,1);`
	`528`	`+if (pg_krb_server_keyfile!=NULL&&pg_krb_server_keyfile[0]!='\0')`
	`529`	`+{`
	`530`	`+if (setenv("KRB5_KTNAME",pg_krb_server_keyfile,1)!=0)`
	`531`	`+{`
	`532`	`+/* The only likely failure cause is OOM, so use that errcode */`
	`533`	`+ereport(FATAL,`
	`534`	`+(errcode(ERRCODE_OUT_OF_MEMORY),`
	`535`	`+errmsg("could not set environment: %m")));`
	`536`	`+}`
	`537`	`+}`
`530`	`538`
`531`	`539`	`while (true)`
`532`	`540`	`{`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@`
`92`	`92`	`#db_user_namespace = off`
`93`	`93`
`94`	`94`	`# GSSAPI using Kerberos`
`95`		`-#krb_server_keyfile = ''`
	`95`	`+#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'`
`96`	`96`	`#krb_caseins_users = off`
`97`	`97`
`98`	`98`	`# - SSL -`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit861e967

File tree

5 files changed

5 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎doc/src/sgml/config.sgml`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/be-secure-gssapi.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

0 commit comments