Home > mailing lists

Re: [HACKERS] Re: New pg_pwd patch and stuff - Mailing list pgsql-hackers

From	Zeugswetter Andreas DBT
Subject	Re: [HACKERS] Re: New pg_pwd patch and stuff
Date	January 16, 1998 04:33:17
Msg-id	219F68D65015D011A8E000006F8590C6010A519B@sdexcsrv1.sd.spardat.at Whole thread Raw
Responses	Re: [HACKERS] Re: New pg_pwd patch and stuff
List	pgsql-hackers

Tree view

> >
> > >         Fork off the postgres process first, then authenticate
inside of
> > > there...which would get rid of the problem with pg_user itself
being a
> > > text file vs a relation...no?
> >
> > Yes, yes, yes.  This is how authentication should be done (for HBA,
etc.)
>
> No, no, no! For security reasons, you can't fork (and exec)
> unauthenticated processes. Especially HBA authentication should be
done
> to consume as low resources as possbile.

Startup time for a valid connect client is now < 0.16 secs, so is this
really a threat ?
I would say might leave hba to postmaster (since postgres don't need to
know about it)
then fork off postgres and do the rest of the authentication.

Running postgres as root though is a **very** bad idea.
Remember that we have user defined Functions !

no, yes, yes
Andreas

pgsql-hackers by date:

From: "Vadim B. Mikheev"
Date: 16 January 1998, 04:31:33
Subject: Re: [HACKERS] Re: varchar() troubles (fwd)

From: "Vadim B. Mikheev"
Date: 16 January 1998, 04:34:53
Subject: Re: [HACKERS] Re: subselects

Re: [HACKERS] Re: New pg_pwd patch and stuff - Mailing list pgsql-hackers

Previous

Next