rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove SO_PASSCRED step in ident_unix --- according to Helge Bahmann, 

that call is not needed to prepare for SO_PEERCRED.  Also, simplify code
so that #ifdef SO_PEERCRED appears in only one place, to make it easier
to support other platforms with variants of this capability.
This commit is contained in:
Tom Lane 2001-08-02 14:27:40 +00:00
parent cb90b2dacb
commit 49435fb98f
1 changed files with 17 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/backend/libpq/hba.c
View File

@ -10,7 +10,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.59 2001/08/01 23:52:50 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.60 2001/08/02 14:27:40 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -290,26 +290,11 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
goto hba_syntax; goto hba_syntax;
/* /*
* Disallow auth methods that need AF_INET sockets to work. * Disallow auth methods that always need AF_INET sockets to work.
* Allow "ident" if we can get the identity of the connection
* peer on Unix domain sockets from the OS.
*/ */
if (port->auth_method == uaKrb4 || if (port->auth_method == uaKrb4 ||
port->auth_method == uaKrb5) port->auth_method == uaKrb5)
goto hba_syntax; goto hba_syntax;
#ifndef SO_PEERCRED
if (port->auth_method == uaIdent)
{
/* Give a special error message for this case... */
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"parse_hba: \"ident\" auth is not supported on local connections on this platform\n");
fputs(PQerrormsg, stderr);
pqdebug("%s", PQerrormsg);
*error_p = true;
return;
}
#endif
/* /*
* If this record doesn't match the parameters of the connection * If this record doesn't match the parameters of the connection
@ -326,10 +311,10 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
{ {
struct in_addr file_ip_addr, mask; struct in_addr file_ip_addr, mask;
#ifdef USE_SSL
/* If SSL, then check that we are on SSL */
if (strcmp(token, "hostssl") == 0) if (strcmp(token, "hostssl") == 0)
{ {
#ifdef USE_SSL
/* Record does not match if we are not on an SSL connection */
if (!port->ssl) if (!port->ssl)
return; return;
@ -337,12 +322,11 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
/* Or a client certificate */ /* Or a client certificate */
/* Since we were on SSL, proceed as with normal 'host' mode */ /* Since we were on SSL, proceed as with normal 'host' mode */
}
#else #else
/* If not SSL, we don't support this */ /* We don't accept this keyword at all if no SSL support */
if (strcmp(token, "hostssl") == 0)
goto hba_syntax; goto hba_syntax;
#endif #endif
}
/* Get the database. */ /* Get the database. */
line = lnext(line); line = lnext(line);
@ -866,8 +850,6 @@ ident_inet(const struct in_addr remote_ip_addr,
return ident_return; return ident_return;
} }
#ifdef SO_PEERCRED
/* /*
* Ask kernel about the credentials of the connecting process and * Ask kernel about the credentials of the connecting process and
* determine the symbolic name of the corresponding user. * determine the symbolic name of the corresponding user.
@ -878,26 +860,12 @@ ident_inet(const struct in_addr remote_ip_addr,
static bool static bool
ident_unix(int sock, char *ident_user) ident_unix(int sock, char *ident_user)
{ {
#ifdef SO_PEERCRED
/* Linux style: use getsockopt(SO_PEERCRED) */
struct ucred peercred; struct ucred peercred;
socklen_t so_len; socklen_t so_len;
struct passwd *pass; struct passwd *pass;
#ifdef SO_PASSCRED
int passcred = -1;
so_len = sizeof(passcred);
if (setsockopt(sock, SOL_SOCKET, SO_PASSCRED, &passcred, so_len) != 0)
{
/* We could not set the socket to pass credentials */
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"Could not set the UNIX socket to pass credentials: %s\n",
strerror(errno));
fputs(PQerrormsg, stderr);
pqdebug("%s", PQerrormsg);
return false;
}
#endif /* SO_PASSCRED */
errno = 0; errno = 0;
so_len = sizeof(peercred); so_len = sizeof(peercred);
if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) != 0 || if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred, &so_len) != 0 ||
@ -928,9 +896,17 @@ ident_unix(int sock, char *ident_user)
StrNCpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX); StrNCpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX);
return true; return true;
}
#else /* not SO_PEERCRED */
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"IDENT auth is not supported on local connections on this platform\n");
fputs(PQerrormsg, stderr);
pqdebug("%s", PQerrormsg);
return false;
#endif /* SO_PEERCRED */ #endif /* SO_PEERCRED */
}
/* /*
* Determine the username of the initiator of the connection described * Determine the username of the initiator of the connection described
@ -954,12 +930,10 @@ authident(hbaPort *port)
port->laddr.in.sin_port, ident_user)) port->laddr.in.sin_port, ident_user))
return STATUS_ERROR; return STATUS_ERROR;
break; break;
#ifdef SO_PEERCRED
case AF_UNIX: case AF_UNIX:
if (!ident_unix(port->sock, ident_user)) if (!ident_unix(port->sock, ident_user))
return STATUS_ERROR; return STATUS_ERROR;
break; break;
#endif
default: default:
return STATUS_ERROR; return STATUS_ERROR;
} }