From 0f9cdd7dca694d487ab663d463b308919f591c02 Mon Sep 17 00:00:00 2001 From: Thomas Munro Date: Wed, 28 Nov 2018 14:00:57 +1300 Subject: [PATCH] Don't set PAM_RHOST for Unix sockets. Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable name, so don't do that. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reviewed-by: Peter Eisentraut Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org --- src/backend/libpq/auth.c | 50 ++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 4f9d697d6d..ff0832dba8 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -2162,18 +2162,6 @@ CheckPAMAuth(Port *port, const char *user, const char *password) { int retval; pam_handle_t *pamh = NULL; - char hostinfo[NI_MAXHOST]; - - retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, - hostinfo, sizeof(hostinfo), NULL, 0, - port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV); - if (retval != 0) - { - ereport(WARNING, - (errmsg_internal("pg_getnameinfo_all() failed: %s", - gai_strerror(retval)))); - return STATUS_ERROR; - } /* * We can't entirely rely on PAM to pass through appdata --- it appears @@ -2219,15 +2207,37 @@ CheckPAMAuth(Port *port, const char *user, const char *password) return STATUS_ERROR; } - retval = pam_set_item(pamh, PAM_RHOST, hostinfo); - - if (retval != PAM_SUCCESS) + if (port->hba->conntype != ctLocal) { - ereport(LOG, - (errmsg("pam_set_item(PAM_RHOST) failed: %s", - pam_strerror(pamh, retval)))); - pam_passwd = NULL; - return STATUS_ERROR; + char hostinfo[NI_MAXHOST]; + int flags; + + if (port->hba->pam_use_hostname) + flags = 0; + else + flags = NI_NUMERICHOST | NI_NUMERICSERV; + + retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, + hostinfo, sizeof(hostinfo), NULL, 0, + flags); + if (retval != 0) + { + ereport(WARNING, + (errmsg_internal("pg_getnameinfo_all() failed: %s", + gai_strerror(retval)))); + return STATUS_ERROR; + } + + retval = pam_set_item(pamh, PAM_RHOST, hostinfo); + + if (retval != PAM_SUCCESS) + { + ereport(LOG, + (errmsg("pam_set_item(PAM_RHOST) failed: %s", + pam_strerror(pamh, retval)))); + pam_passwd = NULL; + return STATUS_ERROR; + } } retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv); -- 2.40.0