Re: Checking pg_hba.conf in the child process

Excerpts from Bruce Momjian's message of vie feb 24 19:19:10 -0300 2012:
> In looking over our authentication code, I noticed that we create the
> child process before we check any of the pg_hba.conf file.  Now, I
> realize we can't do authentication in the postmaster because of possible
> delay, and checking the user name and database name filters is just work
> that is better done in the child, but checking the IP address might
> prevent unauthorized clients from causing excessive process creation on
> the server.  I know we have listen_addresses, but that defaults to "*"
> on the click-through installers, and not everybody knows how to set up a
> firewall.

Hm, one thing to keep in mind is that we allow hostnames there.  It'd be
a pain to have postmaster hang while resolving names.

--
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support