Re: pg_hba.conf: samehost and samenet [REVIEW]
| От | Magnus Hagander |
|---|---|
| Тема | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Дата | |
| Msg-id | 9837222c0909231007y503418e9n88a933d007f4f2fe@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: pg_hba.conf: samehost and samenet [REVIEW] (Stef Walter <stef-list@memberwebs.com>) |
| Список | pgsql-hackers |
On Wed, Sep 23, 2009 at 18:41, Stef Walter <stef-list@memberwebs.com> wrote: > Magnus Hagander wrote: >> On Mon, Sep 21, 2009 at 20:12, Stef Walter <stef-list@memberwebs.com> wrote: >> >> >> <snip> >>> Updated in attached patch. >> >> This patch does not build on Windows, the error is: >> ip.obj : error LNK2019: unresolved external symbol __imp__WSAIoctl@36 referenced >> in function _pg_foreach_ifaddr >> ip.obj : error LNK2019: unresolved external symbol __imp__WSASocketA@24 referenc >> ed in function _pg_foreach_ifaddr >> .\Release\libpq\libpq.dll : fatal error LNK1120: 2 unresolved externals >> >> >> I don't have time to investigate this further right now, so if >> somebody else want to dig into why that is happening that would be >> helpful :) > > My windows VM is giving me problems, but I'll try look into it unless > someone else beats me to do it. If you want a VM that works, look at: http://blog.hagander.net/archives/151-Testing-PostgreSQL-patches-on-Windows-using-Amazon-EC2.html If it's just the VM... :-) >> Also, one thought - with samenet we currently from what I can tell >> enumerate all interfaces. Not just those we bind to based on >> listen_addresses. Is that intentional, or should we restrict us to >> subnets reachable through the interfaces we're actually listening on? > > This would change the scope of the patch significantly. It seems that > adding that limitation is unnecessary. In my opinion, if stricter hba > security is required, and limiting to specific subnets are desired, > those subnets should be entered directly into the pg_hba.conf file. > > Currently people are adding 0.0.0.0 to a default pg_hba.conf file in > order to allow access from nearby machines, without running into the > maintenance problems of hard coding IP addresses. However using 0.0.0.0 > is clearly suboptimal from a security perspective. > > I've seen the samenet feature as a way to avoid the use of 0.0.0.0 in > these cases. > > Obviously people who would like stricter postgres security can configure > subnets manually, and would probably not be comfortable with 'automatic' > decisions being made about the subnets allowed. Agreed. In that case, I think we just need to make that clearer in the docs, so people don't make the mistake of thinking it means somehting other than what it does. -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
В списке pgsql-hackers по дате отправления: