Skip to content

Commit 96ed0b8

Browse files
macdicemacdice
committed
Don't set PAM_RHOST for Unix sockets.
Since commit 2f1d2b7 we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable name, so don't do that. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reviewed-by: Peter Eisentraut Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org
1 parent 4e7395d commit 96ed0b8

File tree

1 file changed

+30
-20
lines changed

1 file changed

+30
-20
lines changed

src/backend/libpq/auth.c

Lines changed: 30 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -2158,18 +2158,6 @@ CheckPAMAuth(Port *port, char *user, char *password)
21582158
{
21592159
int retval;
21602160
pam_handle_t *pamh = NULL;
2161-
char hostinfo[NI_MAXHOST];
2162-
2163-
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
2164-
hostinfo, sizeof(hostinfo), NULL, 0,
2165-
port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
2166-
if (retval != 0)
2167-
{
2168-
ereport(WARNING,
2169-
(errmsg_internal("pg_getnameinfo_all() failed: %s",
2170-
gai_strerror(retval))));
2171-
return STATUS_ERROR;
2172-
}
21732161

21742162
/*
21752163
* We can't entirely rely on PAM to pass through appdata --- it appears
@@ -2215,15 +2203,37 @@ CheckPAMAuth(Port *port, char *user, char *password)
22152203
return STATUS_ERROR;
22162204
}
22172205

2218-
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
2219-
2220-
if (retval != PAM_SUCCESS)
2206+
if (port->hba->conntype != ctLocal)
22212207
{
2222-
ereport(LOG,
2223-
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
2224-
pam_strerror(pamh, retval))));
2225-
pam_passwd = NULL;
2226-
return STATUS_ERROR;
2208+
char hostinfo[NI_MAXHOST];
2209+
int flags;
2210+
2211+
if (port->hba->pam_use_hostname)
2212+
flags = 0;
2213+
else
2214+
flags = NI_NUMERICHOST | NI_NUMERICSERV;
2215+
2216+
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
2217+
hostinfo, sizeof(hostinfo), NULL, 0,
2218+
flags);
2219+
if (retval != 0)
2220+
{
2221+
ereport(WARNING,
2222+
(errmsg_internal("pg_getnameinfo_all() failed: %s",
2223+
gai_strerror(retval))));
2224+
return STATUS_ERROR;
2225+
}
2226+
2227+
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
2228+
2229+
if (retval != PAM_SUCCESS)
2230+
{
2231+
ereport(LOG,
2232+
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
2233+
pam_strerror(pamh, retval))));
2234+
pam_passwd = NULL;
2235+
return STATUS_ERROR;
2236+
}
22272237
}
22282238

22292239
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);

0 commit comments

Comments
 (0)