Re: Checking pg_hba.conf in the child process

Alvaro Herrera <alvherre@commandprompt.com> writes:
> Excerpts from Bruce Momjian's message of vie feb 24 19:19:10 -0300 2012:
>> In looking over our authentication code, I noticed that we create the
>> child process before we check any of the pg_hba.conf file.  Now, I
>> realize we can't do authentication in the postmaster because of possible
>> delay, and checking the user name and database name filters is just work
>> that is better done in the child, but checking the IP address might
>> prevent unauthorized clients from causing excessive process creation on
>> the server.  I know we have listen_addresses, but that defaults to "*"
>> on the click-through installers, and not everybody knows how to set up a
>> firewall.

> Hm, one thing to keep in mind is that we allow hostnames there.  It'd be
> a pain to have postmaster hang while resolving names.

Yes.  This cure would be a lot worse than the disease.  Bruce ought to
remember that we intentionally moved all that logic *out* of the
postmaster process, years ago, precisely because it was too hard to
ensure that the postmaster wouldn't block and thus create DOS conditions
of another sort.
        regards, tom lane