Thoughts on pg_hba.conf rejection
in [PgSql]
|
From: Joshua Tolley on 8 Apr 2010 19:12 On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote: > On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > > Simon Riggs <simon(a)2ndQuadrant.com> writes: > >> When there is a specific reject rule, why does the server say > >> FATAL: no pg_hba.conf entry > > > > It's intentional. We try to expose the minimum amount of knowledge > > about the contents of pg_hba.conf to potential attackers. > > The problem with the message is not that it's uninformative, but that > it's counterfactual. > > ...Robert I agree (I noticed and was bothered by this today, as a matter of irrelevant fact). I can support the idea of exposing as little as possible of pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that standard. Just say something like "connection disallowed" and leave it at that -- either it's disallowed by lack of a rule, or by existence of a "reject" rule, or by something else entirely. As long as the message isn't clearly wrong in the "reject" case, as it is now. -- Joshua Tolley / eggyknap End Point Corporation http://www.endpoint.com
From: Bruce Momjian on 14 Apr 2010 16:19 Joshua Tolley wrote: -- Start of PGP signed section. > On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote: > > On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > > > Simon Riggs <simon(a)2ndQuadrant.com> writes: > > >> When there is a specific reject rule, why does the server say > > >> FATAL: ?no pg_hba.conf entry > > > > > > It's intentional. ?We try to expose the minimum amount of knowledge > > > about the contents of pg_hba.conf to potential attackers. > > > > The problem with the message is not that it's uninformative, but that > > it's counterfactual. > > > > ...Robert > > I agree (I noticed and was bothered by this today, as a matter of irrelevant > fact). I can support the idea of exposing as little as possible of > pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that > standard. Just say something like "connection disallowed" and leave it at that > -- either it's disallowed by lack of a rule, or by existence of a "reject" > rule, or by something else entirely. As long as the message isn't clearly > wrong in the "reject" case, as it is now. Did we come to any conclusion on this? -- Bruce Momjian <bruce(a)momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Aidan Van Dyk on 14 Apr 2010 16:24 * Bruce Momjian <bruce(a)momjian.us> [100414 16:20]: > Joshua Tolley wrote: > -- Start of PGP signed section. > > On Wed, Apr 07, 2010 at 01:07:21PM -0400, Robert Haas wrote: > > > On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > > > > Simon Riggs <simon(a)2ndQuadrant.com> writes: > > > >> When there is a specific reject rule, why does the server say > > > >> FATAL: ?no pg_hba.conf entry > > > > > > > > It's intentional. ?We try to expose the minimum amount of knowledge > > > > about the contents of pg_hba.conf to potential attackers. > > > > > > The problem with the message is not that it's uninformative, but that > > > it's counterfactual. > > > > > > ...Robert > > > > I agree (I noticed and was bothered by this today, as a matter of irrelevant > > fact). I can support the idea of exposing as little as possible of > > pg_hba.conf, but ISTM the "no pg_hba.conf entry" is exposing too much, by that > > standard. Just say something like "connection disallowed" and leave it at that > > -- either it's disallowed by lack of a rule, or by existence of a "reject" > > rule, or by something else entirely. As long as the message isn't clearly > > wrong in the "reject" case, as it is now. > > Did we come to any conclusion on this? I think it sort of just died. I'm in favour of making sure we don't give out any extra information, so if the objection to the message is simply that "no pg_hba.conf entry" is "counterfactual" when there is an entry rejecting it, how about: "No pg_hba.conf authorizing entry" That's no longer counter-factual, and works for both no entry, and a rejecting entry... a. -- Aidan Van Dyk Create like a god, aidan(a)highrise.ca command like a king, http://www.highrise.ca/ work like a slave.
From: Robert Haas on 14 Apr 2010 16:28 On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan(a)highrise.ca> wrote: > I think it sort of just died. I'm in favour of making sure we don't > give out any extra information, so if the objection to the message is > simply that "no pg_hba.conf entry" is "counterfactual" when there is an > entry rejecting it, how about: > "No pg_hba.conf authorizing entry" > > That's no longer counter-factual, and works for both no entry, and a > rejecting entry... That works for me. I don't have strong feelings about it so I'd probably be OK to a variety of solutions subject to my previous remarks, but that seems as good as anything. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 14 Apr 2010 17:51
On Wed, Apr 14, 2010 at 4:28 PM, Robert Haas <robertmhaas(a)gmail.com> wrote: > On Wed, Apr 14, 2010 at 4:24 PM, Aidan Van Dyk <aidan(a)highrise.ca> wrote: >> I think it sort of just died. I'm in favour of making sure we don't >> give out any extra information, so if the objection to the message is >> simply that "no pg_hba.conf entry" is "counterfactual" when there is an >> entry rejecting it, how about: >> "No pg_hba.conf authorizing entry" >> >> That's no longer counter-factual, and works for both no entry, and a >> rejecting entry... > > That works for me. I don't have strong feelings about it so I'd > probably be OK to a variety of solutions subject to my previous > remarks, but that seems as good as anything. Although on further reflection, part of me feels like it might be even simpler and clearer to simply say: connection not authorized ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |