Skip to content

Commit 0f9cdd7

Browse files
macdicemacdice
committed
Don't set PAM_RHOST for Unix sockets.
Since commit 2f1d2b7 we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable name, so don't do that. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reviewed-by: Peter Eisentraut Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
1 parent f69c959 commit 0f9cdd7

File tree

1 file changed

+30
-20
lines changed

1 file changed

+30
-20
lines changed

src/backend/libpq/auth.c

Lines changed: 30 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -2162,18 +2162,6 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
21622162
{
21632163
int retval;
21642164
pam_handle_t *pamh = NULL;
2165-
char hostinfo[NI_MAXHOST];
2166-
2167-
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
2168-
hostinfo, sizeof(hostinfo), NULL, 0,
2169-
port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
2170-
if (retval != 0)
2171-
{
2172-
ereport(WARNING,
2173-
(errmsg_internal("pg_getnameinfo_all() failed: %s",
2174-
gai_strerror(retval))));
2175-
return STATUS_ERROR;
2176-
}
21772165

21782166
/*
21792167
* We can't entirely rely on PAM to pass through appdata --- it appears
@@ -2219,15 +2207,37 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
22192207
return STATUS_ERROR;
22202208
}
22212209

2222-
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
2223-
2224-
if (retval != PAM_SUCCESS)
2210+
if (port->hba->conntype != ctLocal)
22252211
{
2226-
ereport(LOG,
2227-
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
2228-
pam_strerror(pamh, retval))));
2229-
pam_passwd = NULL;
2230-
return STATUS_ERROR;
2212+
char hostinfo[NI_MAXHOST];
2213+
int flags;
2214+
2215+
if (port->hba->pam_use_hostname)
2216+
flags = 0;
2217+
else
2218+
flags = NI_NUMERICHOST | NI_NUMERICSERV;
2219+
2220+
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
2221+
hostinfo, sizeof(hostinfo), NULL, 0,
2222+
flags);
2223+
if (retval != 0)
2224+
{
2225+
ereport(WARNING,
2226+
(errmsg_internal("pg_getnameinfo_all() failed: %s",
2227+
gai_strerror(retval))));
2228+
return STATUS_ERROR;
2229+
}
2230+
2231+
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
2232+
2233+
if (retval != PAM_SUCCESS)
2234+
{
2235+
ereport(LOG,
2236+
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
2237+
pam_strerror(pamh, retval))));
2238+
pam_passwd = NULL;
2239+
return STATUS_ERROR;
2240+
}
22312241
}
22322242

22332243
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);

0 commit comments

Comments
 (0)