[glom] Self hosting: Do not allow ident authorization.

From: Murray Cumming <murrayc src gnome org>
To: commits-list gnome org
Cc:
Subject: [glom] Self hosting: Do not allow ident authorization.
Date: Fri, 2 Nov 2012 18:36:10 +0000 (UTC)
commit 43c4c7ae6164c392d9c0754dc086da31764496d8
Author: Murray Cumming <murrayc murrayc com>
Date:   Fri Nov 2 13:34:36 2012 +0100

    Self hosting: Do not allow ident authorization.
    
            * glom/libglom/connectionpool_backends/postgres_self.cc:
    Remove the ident lines from pg_hba.conf. We use trust already,
    so we do not need both.

 ChangeLog                                          |    8 +++
 .../connectionpool_backends/postgres_self.cc       |   46 +++-----------------
 2 files changed, 15 insertions(+), 39 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index a5ce183..f0177ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2012-11-02  Murray Cumming  <murrayc murrayc com>
+
+        Self hosting: Do not allow ident authorization.
+
+        * glom/libglom/connectionpool_backends/postgres_self.cc:
+	Remove the ident lines from pg_hba.conf. We use trust already,
+	so we do not need both.
+
 2012-10-25  Murray Cumming  <murrayc murrayc com>
 
         Self hosting: Only allow attempts from localhost when not shared.
diff --git a/glom/libglom/connectionpool_backends/postgres_self.cc b/glom/libglom/connectionpool_backends/postgres_self.cc
index 9a81fd4..6077f02 100644
--- a/glom/libglom/connectionpool_backends/postgres_self.cc
+++ b/glom/libglom/connectionpool_backends/postgres_self.cc
@@ -59,32 +59,13 @@ namespace Glom
 namespace ConnectionPoolBackends
 {
 
-//TODO: Do we need these sameuser lines?
 
-// We need both <=8.3 and >=8.4 versions, because the ident line changed syntax
-// incompatibly: http://www.postgresql.org/about/press/features84#security
-
-#define DEFAULT_CONFIG_PG_HBA_LOCAL_8p3 \
+#define DEFAULT_CONFIG_PG_HBA_LOCAL \
 "# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD\n" \
 "\n" \
 "# local is for Unix domain socket connections only\n" \
 "# trust allows connection from the current PC without a password:\n" \
 "local   all         all                               trust\n" \
-"local   all         all                               ident sameuser\n" \
-"local   all         all                               md5\n" \
-"\n" \
-"# TCP connections from the same computer, with a password:\n" \
-"host    all         all         127.0.0.1    255.255.255.255    md5\n" \
-"# IPv6 local connections:\n" \
-"host    all         all         ::1/128               md5\n"
-
-#define DEFAULT_CONFIG_PG_HBA_LOCAL_8p4 \
-"# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD\n" \
-"\n" \
-"# local is for Unix domain socket connections only\n" \
-"# trust allows connection from the current PC without a password:\n" \
-"local   all         all                               trust\n" \
-"local   all         all                               ident\n" \
 "local   all         all                               md5\n" \
 "\n" \
 "# TCP connections from the same computer, with a password:\n" \
@@ -99,18 +80,13 @@ namespace ConnectionPoolBackends
 "# IPv6 local connections:\n" \
 "host    all         all         ::1/128               md5\n"
 
-#define DEFAULT_CONFIG_PG_HBA_REMOTE_8p3 \
-DEFAULT_CONFIG_PG_HBA_LOCAL_8p3 \
-DEFAULT_CONFIG_PG_HBA_REMOTE_EXTRA
-
-#define DEFAULT_CONFIG_PG_HBA_REMOTE_8p4 \
-DEFAULT_CONFIG_PG_HBA_LOCAL_8p3 \
+#define DEFAULT_CONFIG_PG_HBA_REMOTE \
+DEFAULT_CONFIG_PG_HBA_LOCAL \
 DEFAULT_CONFIG_PG_HBA_REMOTE_EXTRA
 
 static const int PORT_POSTGRESQL_SELF_HOSTED_START = 5433;
 static const int PORT_POSTGRESQL_SELF_HOSTED_END = 5500;
 
-static const char DEFAULT_CONFIG_PG_IDENT[] = "";
 static const char FILENAME_DATA[] = "data";
 static const char FILENAME_BACKUP[] = "backup";
 
@@ -212,8 +188,8 @@ Backend::InitErrors PostgresSelfHosted::initialize(const SlotProgress& slot_prog
     return INITERROR_COULD_NOT_CREATE_DIRECTORY;
   }
 
-  //Create these files: environment  pg_hba.conf  pg_ident.conf  start.conf
-  set_network_shared(slot_progress, m_network_shared); //Creates pg_hba.conf and pg_ident.conf
+  //Create these files: environment, pg_hba.conf, start.conf
+  set_network_shared(slot_progress, m_network_shared); //Creates pg_hba.conf
 
   //Check that there is not an existing data directory:
   const std::string dbdir_data = get_self_hosting_data_path(true /* create */);
@@ -405,7 +381,7 @@ Backend::StartupErrors PostgresSelfHosted::startup(const SlotProgress& slot_prog
   }
 
   //Attempt to ensure that the config files are correct:
-  set_network_shared(slot_progress, m_network_shared); //Creates pg_hba.conf and pg_ident.conf
+  set_network_shared(slot_progress, m_network_shared); //Creates pg_hba.conf
 
   const unsigned int available_port = discover_first_free_port(PORT_POSTGRESQL_SELF_HOSTED_START, PORT_POSTGRESQL_SELF_HOSTED_END);
   //std::cout << "debug: " << G_STRFUNC << ":() : debug: Available port for self-hosting: " << available_port << std::endl;
@@ -426,14 +402,12 @@ Backend::StartupErrors PostgresSelfHosted::startup(const SlotProgress& slot_prog
   // CreateProcess() API used on Windows does not support single quotes.
   const std::string dbdir_config = Glib::build_filename(dbdir, "config");
   const std::string dbdir_hba = Glib::build_filename(dbdir_config, "pg_hba.conf");
-  const std::string dbdir_ident = Glib::build_filename(dbdir_config, "pg_ident.conf");
   const std::string dbdir_pid = Glib::build_filename(dbdir, "pid");
   const std::string listen_address = (m_network_shared ? "*" : "localhost");
   const std::string command_postgres_start = get_path_to_postgres_executable("postgres") + " -D " + Glib::shell_quote(dbdir_data)
                                   + " -p " + port_as_text
                                   + " -h " + listen_address
                                   + " -c hba_file=" + Glib::shell_quote(dbdir_hba)
-                                  + " -c ident_file=" + Glib::shell_quote(dbdir_ident)
                                   + " -k " + Glib::shell_quote(dbdir)
                                   + " --external_pid_file=" + Glib::shell_quote(dbdir_pid);
   //std::cout << G_STRFUNC << ": debug: " << command_postgres_start << std::endl;
@@ -578,10 +552,7 @@ bool PostgresSelfHosted::set_network_shared(const SlotProgress& slot_progress, b
   const float postgresql_version = get_postgresql_utils_version_as_number(slot_progress);
   //std::cout << "DEBUG: postgresql_version=" << postgresql_version << std::endl;
 
-  if(postgresql_version >= 8.4f)
-    default_conf_contents = m_network_shared ? DEFAULT_CONFIG_PG_HBA_REMOTE_8p4 : DEFAULT_CONFIG_PG_HBA_LOCAL_8p4;
-  else
-    default_conf_contents = m_network_shared ? DEFAULT_CONFIG_PG_HBA_REMOTE_8p3 : DEFAULT_CONFIG_PG_HBA_LOCAL_8p3;
+  default_conf_contents = m_network_shared ? DEFAULT_CONFIG_PG_HBA_REMOTE : DEFAULT_CONFIG_PG_HBA_LOCAL;
 
   //std::cout << "DEBUG: default_conf_contents=" << default_conf_contents << std::endl;
 
@@ -590,9 +561,6 @@ bool PostgresSelfHosted::set_network_shared(const SlotProgress& slot_progress, b
   if(!hba_conf_creation_succeeded)
     return false;
 
-  const bool ident_conf_creation_succeeded = create_text_file(dbdir_uri_config + "/pg_ident.conf", DEFAULT_CONFIG_PG_IDENT);
-  g_assert(ident_conf_creation_succeeded);
-
   return hba_conf_creation_succeeded;
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]