Peer credentials (was Security choices...)
| От | Alex Pilosov |
|---|---|
| Тема | Peer credentials (was Security choices...) |
| Дата | |
| Msg-id | Pine.BSO.4.10.10008042335280.4362-100000@spider.pilosoft.com обсуждение исходный текст |
| Ответ на | Re: Security choices... (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Список | pgsql-hackers |
On Fri, 4 Aug 2000, Bruce Momjian wrote: > > At 18:34 4/08/00 -0400, Bruce Momjian wrote: > > >[ Charset ISO-8859-1 unsupported, converting... ] > > >> Philip Warner writes: > > >> > > >> > Is there any reason that a security model does not exist for psql that > > >> > allows Unix user 'fred' to log in as PG user 'fred' with no password etc, > > >> > but any user trying to log on as someone other than themselves has to > > >> > provide a password? > > >> > > >> Short of someone sitting down and making it happen I don't see any. You'd > > >> only need to implement some sort of fall-through in `pg_hba.conf', which > > >> in my estimate can't be exceedingly hard. > > > > > >How do you know Fred is Fred without a password? > > > > > > > The idea was to apply only on the matchine on which the postmaster runs; > > then ideally you get the username of the client process. It's kind of like > > IDENT, except it works only for local connections, and asks for passwords > > for non-local connections. > > I am not aware of any way to determine the PID at the other end of a > unix domain socket. You actually don't need the PID on the other end, what you are interested are the credentials of a process on the other end. Unfortunately, every OS implemented it in very different way. Linux has SO_PEERCREDS option, solaris has doors, xBSD have SCM_CREDS or LOCAL_CREDS see: http://metalab.unc.edu/pub/Linux/docs/HOWTO/Secure-Programs-HOWTO http://www.whitefang.com/sup/work.html http://cr.yp.to/docs/secureipc.html
В списке pgsql-hackers по дате отправления: