[Pgpool-general] (no subject)

Mon Apr 25 06:50:20 UTC 2011

Subject changed.

The reason why the patches on 3.0-stable being canceld was:

- it was against our policy (do not add new features to the stable tree)
- insecure. anybody can add/change anyone's password.

What we are going to do is:

Add new option to pg_md5 command so that it could add/change an entry
which is not corresponding to OS user. Also the command will be
setuid-ed and should be installed as the same uid as pgpool
installation(pgpool super user). If uid and euid are identical then
the command is being executed by pgpool super user. Othewise the
command does not allow to create/change entries other than his/her own
one. These changes will be appear in CVS HEAD (aka 3.1).
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp

> Ok, let me ask Toshihiro on this.
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese: http://www.sraoss.co.jp
> 
>> Tatsuo-san,
>> 
>> Thank you for you prompt reply. From what I can see, such a think was commited in revision 1.9(October 1st 2010) by Kitagawa-san, but cancelled in revision 1.10.
>> I've reported that patch in my fresh 3.0.3 source tree. Compiled ok, works fine. I guess it would be a good idea to commit it again ? What do you think ? Any reason why it was cancelled ?
>> Tell me if I can help.
>> 
>> Br
>> 
>> Sekine
>> 
>> 
>> Le 24 avr. 2011 à 14:00, pgpool-general-request at pgfoundry.org a écrit :
>> 
>>> Send Pgpool-general mailing list submissions to
>>>    pgpool-general at pgfoundry.org
>>> 
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>    http://pgfoundry.org/mailman/listinfo/pgpool-general
>>> or, via email, send a message with subject or body 'help' to
>>>    pgpool-general-request at pgfoundry.org
>>> 
>>> You can reach the person managing the list at
>>>    pgpool-general-owner at pgfoundry.org
>>> 
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Pgpool-general digest..."
>>> 
>>> 
>>> Today's Topics:
>>> 
>>>   1. [3.0.3] pg_md5 limited to current uid ? (S?kine Coulibaly)
>>>   2. Re: [3.0.3] pg_md5 limited to current uid ? (Tatsuo Ishii)
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> 
>>> Message: 1
>>> Date: Sat, 23 Apr 2011 23:25:38 +0200
>>> From: S?kine Coulibaly <scoulibaly at gmail.com>
>>> Subject: [Pgpool-general] [3.0.3] pg_md5 limited to current uid ?
>>> To: pgpool-general at pgfoundry.org
>>> Message-ID: <BANLkTinJ3884WXCidEyJtzyD6UaVxp3LbA at mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>> 
>>> Hi there,
>>> 
>>> Let's assume my backends are Linux boxes. On them only root and postgres
>>> users are defined (at OS level). In Postgres server, I defined an
>>> additionnal user "rouser", so that my Postgres base has 2 users : postgres
>>> and rouser.
>>> 
>>> In my understanding, I should be able to do the following to access
>>> pgpool-test database logging with that user :
>>> 
>>> psql -p 9999 pgpool-test -U rouser
>>> 
>>> Unfortunately, the authentication fails, because my pool_passwd doesn't
>>> include a line like this :
>>> 
>>> rouser:md5XXXXXXXXXXXXXXXXXXXXX
>>> 
>>> Since XXXXXXXXXXXX is not equal to MD5(password), does anyone have a trick ?
>>> I Wish I need not create a "rouser" Linux user for this, nor use postgres
>>> user.
>>> 
>>> The pg_md5.c code shows :
>>> 
>>>    pw = getpwuid(getuid());
>>> ...
>>> 
>>>    pg_md5_encrypt(password, pw->pw_name, strlen(pw->pw_name), md5);
>>> 
>>> Which is not very encouraging...
>>> 
>>> 
>>> Thank you !
>>> 
>>> Sekine
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <http://pgfoundry.org/pipermail/pgpool-general/attachments/20110423/ca2f6d97/attachment-0001.html>
>>> 
>>> ------------------------------
>>> 
>>> Message: 2
>>> Date: Sun, 24 Apr 2011 17:47:25 +0900 (JST)
>>> From: Tatsuo Ishii <ishii at sraoss.co.jp>
>>> Subject: Re: [Pgpool-general] [3.0.3] pg_md5 limited to current uid ?
>>> To: scoulibaly at gmail.com
>>> Cc: pgpool-general at pgfoundry.org
>>> Message-ID: <20110424.174725.918073251467493034.t-ishii at sraoss.co.jp>
>>> Content-Type: Text/Plain; charset=us-ascii
>>> 
>>>> Let's assume my backends are Linux boxes. On them only root and postgres
>>>> users are defined (at OS level). In Postgres server, I defined an
>>>> additionnal user "rouser", so that my Postgres base has 2 users : postgres
>>>> and rouser.
>>>> 
>>>> In my understanding, I should be able to do the following to access
>>>> pgpool-test database logging with that user :
>>>> 
>>>> psql -p 9999 pgpool-test -U rouser
>>>> 
>>>> Unfortunately, the authentication fails, because my pool_passwd doesn't
>>>> include a line like this :
>>>> 
>>>> rouser:md5XXXXXXXXXXXXXXXXXXXXX
>>>> 
>>>> Since XXXXXXXXXXXX is not equal to MD5(password), does anyone have a trick ?
>>>> I Wish I need not create a "rouser" Linux user for this, nor use postgres
>>>> user.
>>>> 
>>>> The pg_md5.c code shows :
>>>> 
>>>>    pw = getpwuid(getuid());
>>>> ...
>>>> 
>>>>    pg_md5_encrypt(password, pw->pw_name, strlen(pw->pw_name), md5);
>>>> 
>>>> Which is not very encouraging...
>>> 
>>> Probably pg_md5 should have "-u user" option or something like this,
>>> which allows pgpool super user to create an entry in pool_passwd
>>> corresonding to non OS user entry.
>>> --
>>> Tatsuo Ishii
>>> SRA OSS, Inc. Japan
>>> English: http://www.sraoss.co.jp/index_en.php
>>> Japanese: http://www.sraoss.co.jp
>>> 
>>> 
>>> ------------------------------
>>> 
>>> _______________________________________________
>>> Pgpool-general mailing list
>>> Pgpool-general at pgfoundry.org
>>> http://pgfoundry.org/mailman/listinfo/pgpool-general
>>> 
>>> 
>>> End of Pgpool-general Digest, Vol 77, Issue 17
>>> **********************************************
>> _______________________________________________
>> Pgpool-general mailing list
>> Pgpool-general at pgfoundry.org
>> http://pgfoundry.org/mailman/listinfo/pgpool-general
> _______________________________________________
> Pgpool-general mailing list
> Pgpool-general at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/pgpool-general