Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 63d8350

Browse files
macdicemacdice
committed
Don't set PAM_RHOST for Unix sockets.
Since commit 2f1d2b7 we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable name, so don't do that. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reviewed-by: Peter Eisentraut Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
1 parent b86d148 commit 63d8350

File tree

1 file changed

+30
-20
lines changed

1 file changed

+30
-20
lines changed

src/backend/libpq/auth.c

Lines changed: 30 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1893,18 +1893,6 @@ CheckPAMAuth(Port *port, char *user, char *password)
18931893
{
18941894
int retval;
18951895
pam_handle_t *pamh = NULL;
1896-
char hostinfo[NI_MAXHOST];
1897-
1898-
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
1899-
hostinfo, sizeof(hostinfo), NULL, 0,
1900-
port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
1901-
if (retval != 0)
1902-
{
1903-
ereport(WARNING,
1904-
(errmsg_internal("pg_getnameinfo_all() failed: %s",
1905-
gai_strerror(retval))));
1906-
return STATUS_ERROR;
1907-
}
19081896

19091897
/*
19101898
* We can't entirely rely on PAM to pass through appdata --- it appears
@@ -1950,15 +1938,37 @@ CheckPAMAuth(Port *port, char *user, char *password)
19501938
return STATUS_ERROR;
19511939
}
19521940

1953-
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
1954-
1955-
if (retval != PAM_SUCCESS)
1941+
if (port->hba->conntype != ctLocal)
19561942
{
1957-
ereport(LOG,
1958-
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
1959-
pam_strerror(pamh, retval))));
1960-
pam_passwd = NULL;
1961-
return STATUS_ERROR;
1943+
char hostinfo[NI_MAXHOST];
1944+
int flags;
1945+
1946+
if (port->hba->pam_use_hostname)
1947+
flags = 0;
1948+
else
1949+
flags = NI_NUMERICHOST | NI_NUMERICSERV;
1950+
1951+
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
1952+
hostinfo, sizeof(hostinfo), NULL, 0,
1953+
flags);
1954+
if (retval != 0)
1955+
{
1956+
ereport(WARNING,
1957+
(errmsg_internal("pg_getnameinfo_all() failed: %s",
1958+
gai_strerror(retval))));
1959+
return STATUS_ERROR;
1960+
}
1961+
1962+
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
1963+
1964+
if (retval != PAM_SUCCESS)
1965+
{
1966+
ereport(LOG,
1967+
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
1968+
pam_strerror(pamh, retval))));
1969+
pam_passwd = NULL;
1970+
return STATUS_ERROR;
1971+
}
19621972
}
19631973

19641974
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);

0 commit comments

Comments
 (0)