Remove the use of the pg_auth flat file for client authentication.

(That flat file is now completely useless, but removal will come later.)

To do this, postpone client authentication into the startup transaction
that's run by InitPostgres.  We still collect the startup packet and do
SSL initialization (if needed) at the same time we did before.  The
AuthenticationTimeout is applied separately to startup packet collection
and the actual authentication cycle.  (This is a bit annoying, since it
means a couple extra syscalls; but the signal handling requirements inside
and outside a transaction are sufficiently different that it seems best
to treat the timeouts as completely independent.)

A small security disadvantage is that if the given database name is invalid,
this will be reported to the client before any authentication happens.
We could work around that by connecting to database "postgres" instead,
but consensus seems to be that it's not worth introducing such surprising
behavior.

Processing of all command-line switches and GUC options received from the
client is now postponed until after authentication.  This means that
PostAuthDelay is much less useful than it used to be --- if you need to
investigate problems during InitPostgres you'll have to set PreAuthDelay
instead.  However, allowing an unauthenticated user to set any GUC options
whatever seems a bit too risky, so we'll live with that.

1 files changed, 15 insertions, 7 deletions

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7e328f7bcf6..e0bd078d3e2 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.183 2009/06/25 11:30:08 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.184 2009/08/29 19:26:51 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -33,8 +33,10 @@
 #include "libpq/ip.h"
 #include "libpq/libpq.h"
 #include "libpq/pqformat.h"
+#include "miscadmin.h"
 #include "storage/ipc.h"
 
+
 /*----------------------------------------------------------------
  * Global authentication functions
  *----------------------------------------------------------------
@@ -282,6 +284,15 @@ ClientAuthentication(Port *port)
 				 errhint("See server log for details.")));
 
 	/*
+	 * Enable immediate response to SIGTERM/SIGINT/timeout interrupts.
+	 * (We don't want this during hba_getauthmethod() because it might
+	 * have to do database access, eg for role membership checks.)
+	 */
+	ImmediateInterruptOK = true;
+	/* And don't forget to detect one that already arrived */
+	CHECK_FOR_INTERRUPTS();
+
+	/*
 	 * This is the first point where we have access to the hba record for the
 	 * current connection, so perform any verifications based on the hba
 	 * options field that should be done *before* the authentication here.
@@ -458,6 +469,9 @@ ClientAuthentication(Port *port)
 		sendAuthRequest(port, AUTH_REQ_OK);
 	else
 		auth_failed(port, status);
+
+	/* Done with authentication, so we should turn off immediate interrupts */
+	ImmediateInterruptOK = false;
 }
 
 
@@ -690,9 +704,6 @@ pg_krb5_recvauth(Port *port)
 	char	   *kusername;
 	char	   *cp;
 
-	if (get_role_line(port->user_name) == NULL)
-		return STATUS_ERROR;
-
 	ret = pg_krb5_init(port);
 	if (ret != STATUS_OK)
 		return ret;
@@ -1823,9 +1834,6 @@ authident(hbaPort *port)
 {
 	char		ident_user[IDENT_USERNAME_MAX + 1];
 
-	if (get_role_line(port->user_name) == NULL)
-		return STATUS_ERROR;
-
 	switch (port->raddr.addr.ss_family)
 	{
 		case AF_INET: