Re: BUG #15520: PAM authentication + domain socket -> DNS query for symbolic hostname [local]
Albert Schabhuetl <albert_schabhuetl@yahoo.de>
From: Albert Schabhuetl <albert_schabhuetl@yahoo.de>
To: PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>, Thomas Munro <thomas.munro@enterprisedb.com>
Date: 2018-11-25T20:09:42Z
Lists: pgsql-bugs
NULL vs hostname for PAM_RHOST:
My understanding is that the purpose of the PAM configuration parameter pam_use_hostname is to avoid the adverse effects of DNS queries if set to 0. Thus if pam_use_hostname is 0, PAM_RHOST shall be NULL for domain socket connections, just like it is the case for TCP connections.
>I wonder if anyone out there has come to rely on the value "[local]"I vote for changing it, and documenting it in the release notes.
regards,Albert
Am Samstag, 24. November 2018, 22:58:01 MEZ hat Thomas Munro <thomas.munro@enterprisedb.com> Folgendes geschrieben:
On Sun, Nov 25, 2018 at 12:57 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> It seems we shouldn't be passing a bogus hostname in PAM_RHOST.
I wonder if we should simply not set PAM_RHOST for Unix sockets, since
(in the words of the Linux PAM man page) "[i]n some applications,
PAM_RHOST may be NULL", or set it to the hostname of the local
machine, since in a general sense it is "the hostname of the machine
from which the PAM_RUSER entity is requesting service" (Linux PAM) and
"[t]he name of the applicant's host" (OpenPAM). The latter doesn't
seem great because it means that a PAM module loses the ability to
distinguish this case from the IP case, so I think the former is
probably better. I haven't managed to find anything explicit about
the expected value of PAM_RHOST for Unix sockets in either the Linux
PAM or OpenPAM projects.
I wonder if anyone out there has come to rely on the value "[local]"
that PostgreSQL generates for this case (ie in a custom PAM module or
script executed with pam_exec.so), and would get upset if we changed
it. Seems pretty unlikely.
The comments for pg_getnameinfo_all() could probably do with a mention
of the special value written to "node" for Unix sockets.
Some relevant code:
We can see that linux-audit only starts trying to resolve host if you
didn't also pass in an address:
https://github.com/linux-audit/audit-userspace/blob/e42602b7b246ae62e7a12e9cd91f0ac37b1b1968/lib/audit_logging.c#L456
We can also see that linux-pam always passes NULL as an address:
https://github.com/linux-pam/linux-pam/blob/955b3e2f100205be2db4358e9c812de2ae453b8e/libpam/pam_audit.c#L41
--
Thomas Munro
http://www.enterprisedb.com
Commits
-
Don't set PAM_RHOST for Unix sockets.
- 63d8350665c8 9.6.12 landed
- 96ed0b870454 10.7 landed
- 0640d9517e7e 11.2 landed
- 0f9cdd7dca69 12.0 landed
-
Set PAM_RHOST item for PAM authentication
- 2f1d2b7a75fe 9.6.0 cited