aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Munro <tmunro@postgresql.org>2018-11-28 14:00:57 +1300
committerThomas Munro <tmunro@postgresql.org>2018-11-28 14:14:40 +1300
commit0640d9517e7e6804851a5f0d2520d51fc6faf014 (patch)
tree1464510f7fec83dc3c340699128220c8307729e1
parentf8397c955e54d7093a81b2a84ba44898c6566203 (diff)
downloadpostgresql-0640d9517e7e6804851a5f0d2520d51fc6faf014.tar.gz
postgresql-0640d9517e7e6804851a5f0d2520d51fc6faf014.zip
Don't set PAM_RHOST for Unix sockets.
Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable name, so don't do that. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reviewed-by: Peter Eisentraut Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
Diffstat
-rw-r--r--src/backend/libpq/auth.c50
1 files changed, 30 insertions, 20 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 4f9d697d6da..ff0832dba8b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2162,18 +2162,6 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
{
int retval;
pam_handle_t *pamh = NULL;
- char hostinfo[NI_MAXHOST];
-
- retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
- hostinfo, sizeof(hostinfo), NULL, 0,
- port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
- if (retval != 0)
- {
- ereport(WARNING,
- (errmsg_internal("pg_getnameinfo_all() failed: %s",
- gai_strerror(retval))));
- return STATUS_ERROR;
- }
/*
* We can't entirely rely on PAM to pass through appdata --- it appears
@@ -2219,15 +2207,37 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
return STATUS_ERROR;
}
- retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
-
- if (retval != PAM_SUCCESS)
+ if (port->hba->conntype != ctLocal)
{
- ereport(LOG,
- (errmsg("pam_set_item(PAM_RHOST) failed: %s",
- pam_strerror(pamh, retval))));
- pam_passwd = NULL;
- return STATUS_ERROR;
+ char hostinfo[NI_MAXHOST];
+ int flags;
+
+ if (port->hba->pam_use_hostname)
+ flags = 0;
+ else
+ flags = NI_NUMERICHOST | NI_NUMERICSERV;
+
+ retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+ hostinfo, sizeof(hostinfo), NULL, 0,
+ flags);
+ if (retval != 0)
+ {
+ ereport(WARNING,
+ (errmsg_internal("pg_getnameinfo_all() failed: %s",
+ gai_strerror(retval))));
+ return STATUS_ERROR;
+ }
+
+ retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+
+ if (retval != PAM_SUCCESS)
+ {
+ ereport(LOG,
+ (errmsg("pam_set_item(PAM_RHOST) failed: %s",
+ pam_strerror(pamh, retval))));
+ pam_passwd = NULL;
+ return STATUS_ERROR;
+ }
}
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-03 18:51:50 +0000