[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#95818: libpgsql2.1: should not depend on ident-server

"Oliver Elphick" <olly@lfix.co.uk> writes:

> It is indeed the case that ident is needed to allow local access without
> a password.  I understand that this presents a small security risk on the
> server.

I think README.Debian or somesuch should tell why ident is necessary,
and perhaps also how one can restrict ident access (e.g. by
firewalling port 113 except for localhost).

> In case anyone should ask why the server cannot authenticate directly,
> communication between front- and back-ends is done through a Unix socket
> and therefore it is not possible for the back-end to know the identity
> of the user at the front-end.

That's not true for Linux 2.[24].x at least. One can use
getsockopt(..., SO_PEERCRED, ...) to get the uid of the other end.

It would be nice if you could request that as an upstream feature.


Attachment: signature.ng
Description: PGP signature

Reply to: