[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#95818: libpgsql2.1: should not depend on ident-server

On Mon, 30 Apr 2001, Oliver Elphick wrote:

> Robert Bihlmeyer wrote:
>   >Package: libpgsql2.1
>   >Version: 7.1release-2
>   >Severity: normal

>   >identds are considered mild privacy/security risks, therefore I don't
>   >think libpgsql2.1 and postgresql-client[1] should depend on
>   >ident-server.

>   >The main use seems to be to allow local connections without further
>   >authentication. A noble goal that should be reached via local
>   >transport instead.

>   >Maybe there's more reasoning why this dependency is necessary. In this
>   >case, please put it in the documentation.

> It is indeed the case that ident is needed to allow local access without
> a password.  I understand that this presents a small security risk on the
> server.  However, without it, it is necessary for the postgres
> administrator's database password to be held in clear in some file, so that
> the automatic clean-up processes will be able to operate.

> It seems to me that the obvious security risks of the latter process
> outweigh the minor risks of having ident available.  However, it is only
> strictly necessary for the server to have ident available, so I propose to
> move the dependency from libpgsql2.1 (and postgresql-client) to postgresql
> itself.

> In case anyone should ask why the server cannot authenticate directly,
> communication between front- and back-ends is done through a Unix socket
> and therefore it is not possible for the back-end to know the identity
> of the user at the front-end.  The only options for Unix socket access
> are password-protection or trust (that is, a completely open database).


#include <sys/socket.h>

struct ucred peercred;
int so_len = sizeof(peercred);

retval = getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len);
if (retval != 0 || so_len != sizeof(peercred)) {
	/* We didn't get a valid credentials struct.
	   Close socket and continue. */

if (peercred.uid != ...) {


This works for Unix sockets under Linux 2.2 and Linux 2.4, at least.  I don't
know how portable the interface is beyond that, and lack of portability might
prevent upstream from adopting it.  It would be interesting to see this as an
option for Debian, though.  (Does Hurd implement SO_PEERCRED?)

Steve Langasek
postmodern programmer

Reply to: