summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4e7395d)
raw | patch | inline | side by side (parent: 4e7395d)
| author | Thomas Munro <tmunro@postgresql.org> | |
| Wed, 28 Nov 2018 01:00:57 +0000 (14:00 +1300) | ||
| committer | Thomas Munro <tmunro@postgresql.org> | |
| Wed, 28 Nov 2018 01:15:00 +0000 (14:15 +1300) |
Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix
sockets. This caused Linux PAM's libaudit integration to make DNS
requests for that name. It's not exactly clear what value PAM_RHOST
should have in that case, but it seems clear that we shouldn't set it
to an unresolvable name, so don't do that.
Back-patch to 9.6. Bug #15520.
Author: Thomas Munro
Reviewed-by: Peter Eisentraut
Reported-by: Albert Schabhuetl
Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
sockets. This caused Linux PAM's libaudit integration to make DNS
requests for that name. It's not exactly clear what value PAM_RHOST
should have in that case, but it seems clear that we shouldn't set it
to an unresolvable name, so don't do that.
Back-patch to 9.6. Bug #15520.
Author: Thomas Munro
Reviewed-by: Peter Eisentraut
Reported-by: Albert Schabhuetl
Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
| src/backend/libpq/auth.c | patch | blob | blame | history |
index 783b34c700893006afd519a729759c7b1f34df49..2fbf56d636ad1e9243ebf033a6a4cfd5f82cca88 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
{
int retval;
pam_handle_t *pamh = NULL;
- char hostinfo[NI_MAXHOST];
-
- retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
- hostinfo, sizeof(hostinfo), NULL, 0,
- port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
- if (retval != 0)
- {
- ereport(WARNING,
- (errmsg_internal("pg_getnameinfo_all() failed: %s",
- gai_strerror(retval))));
- return STATUS_ERROR;
- }
/*
* We can't entirely rely on PAM to pass through appdata --- it appears
return STATUS_ERROR;
}
- retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
-
- if (retval != PAM_SUCCESS)
+ if (port->hba->conntype != ctLocal)
{
- ereport(LOG,
- (errmsg("pam_set_item(PAM_RHOST) failed: %s",
- pam_strerror(pamh, retval))));
- pam_passwd = NULL;
- return STATUS_ERROR;
+ char hostinfo[NI_MAXHOST];
+ int flags;
+
+ if (port->hba->pam_use_hostname)
+ flags = 0;
+ else
+ flags = NI_NUMERICHOST | NI_NUMERICSERV;
+
+ retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+ hostinfo, sizeof(hostinfo), NULL, 0,
+ flags);
+ if (retval != 0)
+ {
+ ereport(WARNING,
+ (errmsg_internal("pg_getnameinfo_all() failed: %s",
+ gai_strerror(retval))));
+ return STATUS_ERROR;
+ }
+
+ retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+
+ if (retval != PAM_SUCCESS)
+ {
+ ereport(LOG,
+ (errmsg("pam_set_item(PAM_RHOST) failed: %s",
+ pam_strerror(pamh, retval))));
+ pam_passwd = NULL;
+ return STATUS_ERROR;
+ }
}
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);