Re: [HACKERS] pgsql/php3/apache authentication

Peter Eisentraut writes:
> On Wed, 26 Apr 2000, Jim Mercer wrote:
>
> > - queries via localhost (unix domain sockets) should assume that the pg_user
> > is the same as the unix user running the process.
>
> There's no way for the server to determine the system user name of the
> other end of a domain socket; at least no one has implemented one yet. So
> essentially this isn't going to work.

The client can pass an SCM_CREDENTIALS (Linux) or SCM_CREDS (BSDish)
socket control message down the Unix domain socket and the kernel will
fill in the client's credentials (including PID, uid and gid) for the
receiver to read. Some Unices don't support this though. If noone else
implements this, I'll try to find time to do it myself though I've
only touched the server side of pg authentication before and haven't
looked at what exactly the client side sends across already. Without
SCM_CRED[ENTIAL]S, it gets very messy passing reliable (or even
semi-reliable) authentication information. STREAMS has another way to
send/receive credentials but not via the socket API.

--Malcolm

--
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services