Alvaro Herrera <alvherre@commandprompt.com> writes:
> Excerpts from Bruce Momjian's message of vie feb 24 19:19:10 -0300 2012:
>> In looking over our authentication code, I noticed that we create the
>> child process before we check any of the pg_hba.conf file. Now, I
>> realize we can't do authentication in the postmaster because of possible
>> delay, and checking the user name and database name filters is just work
>> that is better done in the child, but checking the IP address might
>> prevent unauthorized clients from causing excessive process creation on
>> the server. I know we have listen_addresses, but that defaults to "*"
>> on the click-through installers, and not everybody knows how to set up a
>> firewall.
> Hm, one thing to keep in mind is that we allow hostnames there. It'd be
> a pain to have postmaster hang while resolving names.
Yes. This cure would be a lot worse than the disease. Bruce ought to
remember that we intentionally moved all that logic *out* of the
postmaster process, years ago, precisely because it was too hard to
ensure that the postmaster wouldn't block and thus create DOS conditions
of another sort.
regards, tom lane