Re: Disabling trust/ident authentication configure option

Поиск
Список
Период
Сортировка
От Josh Berkus
Тема Re: Disabling trust/ident authentication configure option
Дата
Msg-id 55596375.7070601@agliodbs.com
обсуждение исходный текст
Ответ на Re: Disabling trust/ident authentication configure option  (Robert Haas <robertmhaas@gmail.com>)
Ответы Re: Disabling trust/ident authentication configure option  (Jim Nasby <Jim.Nasby@BlueTreble.com>)
Re: Disabling trust/ident authentication configure option  (Volker Aßmann <volker.assmann@gmail.com>)
Список pgsql-hackers
Дерево обсуждения 
> On Wed, May 13, 2015 at 2:18 PM, Robert Haas <robertmhaas@gmail.com
> <mailto:robertmhaas@gmail.com>> wrote:
>     All of this is fairly far afield from the original topic of this
>     thread, which was whether a configure option disabling trust + ident
>     authentication would be a good idea.  I said no.  Then we had a bunch
>     of counter-proposals:
> 
>     Alvaro: Support a configure switch whose value is a comma-separated
>     list of authentication methods to disable.

So, I'm going to throw in why a configure option to disable "trust,
peer" is an unworkable idea.

The goal here was stated to preventing authentication misconfiguration
by shortsighted admins who have superuser access and the ability to
change pg_hba.conf.  This is tantamount to giving someone a gun and
bullets, but expecting duct tape across the cartridge slot to prevent
them from loading or using the gun.

Let's say we offered a compile-time option, and then someone built a
package postgresql-9.6-secureauth.deb.  So, your lazy admin is having
trouble debugging an auth problem and wants to set "trust".  But they
can't.  So they search on Google and figure out how to download and
install postgresql-9.6-normalauth.deb.  Or, alternately, they set all
passwords to "password" or to "".  Or they put .pgpass files on all
machines.  Or they put the password in pgbouncer and set pgbouncer to
"trust".

You've added exactly one additional step in their way, and not a
particularly difficult one.  It simply doesn't solve the problem you're
trying to solve, which is unsurprising, because technology has never
been able to solve the problem of untrustworthy humans with positions of
responsibility.

Now, if you wanted to add an audit log every time someone changes an
auth method in pg_hba.conf?  I'd be all for that, I can see all kinds of
uses for that, and it might actually accomplish something effective.

If you disagree with me, well, it would be very easy to hack out the
auth methods you don't like and compile your own.  It *is* open source.

-- 
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Josh Berkus
Дата:
Сообщение: Re: jsonb concatenate operator's semantics seem questionable
Следующее
От: Peter Geoghegan
Дата:
Сообщение: Re: jsonb concatenate operator's semantics seem questionable