mirror of
https://github.com/postgres/postgres.git
synced 2025-10-29 22:49:41 +03:00
Don't set PAM_RHOST for Unix sockets.
Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix
sockets. This caused Linux PAM's libaudit integration to make DNS
requests for that name. It's not exactly clear what value PAM_RHOST
should have in that case, but it seems clear that we shouldn't set it
to an unresolvable name, so don't do that.
Back-patch to 9.6. Bug #15520.
Author: Thomas Munro
Reviewed-by: Peter Eisentraut
Reported-by: Albert Schabhuetl
Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
This commit is contained in:
Thomas Munro
@@ -2162,18 +2162,6 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
|
||||
{
|
||||
int retval;
|
||||
pam_handle_t *pamh = NULL;
|
||||
char hostinfo[NI_MAXHOST];
|
||||
|
||||
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
||||
hostinfo, sizeof(hostinfo), NULL, 0,
|
||||
port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
|
||||
if (retval != 0)
|
||||
{
|
||||
ereport(WARNING,
|
||||
(errmsg_internal("pg_getnameinfo_all() failed: %s",
|
||||
gai_strerror(retval))));
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* We can't entirely rely on PAM to pass through appdata --- it appears
|
||||
@@ -2219,15 +2207,37 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
|
||||
|
||||
if (retval != PAM_SUCCESS)
|
||||
if (port->hba->conntype != ctLocal)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
|
||||
pam_strerror(pamh, retval))));
|
||||
pam_passwd = NULL;
|
||||
return STATUS_ERROR;
|
||||
char hostinfo[NI_MAXHOST];
|
||||
int flags;
|
||||
|
||||
if (port->hba->pam_use_hostname)
|
||||
flags = 0;
|
||||
else
|
||||
flags = NI_NUMERICHOST | NI_NUMERICSERV;
|
||||
|
||||
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
||||
hostinfo, sizeof(hostinfo), NULL, 0,
|
||||
flags);
|
||||
if (retval != 0)
|
||||
{
|
||||
ereport(WARNING,
|
||||
(errmsg_internal("pg_getnameinfo_all() failed: %s",
|
||||
gai_strerror(retval))));
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
|
||||
|
||||
if (retval != PAM_SUCCESS)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
|
||||
pam_strerror(pamh, retval))));
|
||||
pam_passwd = NULL;
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
|
||||
|
||||
Reference in New Issue
Block a user