On 30 November 2014 at 15:02, Noah Misch <n...@leadboat.com> wrote:
> On Sun, Sep 21, 2014 at 02:31:15AM -0400, Noah Misch wrote:
> > It then dawned on me that every Windows build of PostgreSQL already has
> a way
> > to limit connections to a particular OS user. SSPI authentication is
> > essentially the Windows equivalent of peer authentication. A brief trial
> > thereof looked promising. Regression runs will need a pg_ident.conf
> listing
> > each role used in the regression tests. That's not ideal, but the
> buildfarm
> > will quickly reveal any omissions. Unless someone sees a problem here,
> I will
> > look at fleshing this out into a complete patch. I bet it will even
> turn out
> > to be back-patchable.
>
> That worked out nicely. "pg_regress --temp-install" rewrites pg_ident.conf
> and pg_hba.conf such that the current OS user may authenticate as the
> bootstrap superuser and as any user named in --create-role. Suites not
> using
> --temp-install (pg_upgrade, TAP) call "pg_regress --config-auth=DATADIR" to
> pick up those same configuration changes. My hope is that out-of-tree test
> harnesses wanting this hardening can do likewise. On non-Windows systems,
> "pg_regress --config-auth" does nothing.
>
>
>
f6dc6dd seems to have broken vcregress check for me:
D:\Postgres\a\src\tools\msvc>vcregress check
============== removing existing temp installation ==============
============== creating temporary installation ==============
============== initializing database system ==============
============== starting postmaster ==============
pg_regress: postmaster did not respond within 60 seconds
Examine D:/Postgres/a/src/test/regress/log/postmaster.log for the reason
The postmaster.log reads:
LOG: database system was shut down at 2014-12-25 15:26:33 NZDT
LOG: database system is ready to accept connections
LOG: autovacuum launcher started
FATAL: no pg_hba.conf entry for host "::1", user "David", database
"postgres"
...
FATAL: no pg_hba.conf entry for host "::1", user "David", database
"postgres"
Having a look at the pg_hba.conf that's been generated by pgregress, it
looks like it only adds a line for IPv4 addresses.
I'll admit that I don't have a great understanding of what the SSPI stuff
is about, but at least the attached patch seems to fix the problem for me.
Regards
David Rowley
diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index cb092f9..e2adaca 100644
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -1085,6 +1085,8 @@ config_sspi_auth(const char *pgdata)
CW(fputs("# Configuration written by config_sspi_auth()\n", hba) >= 0);
CW(fputs("host all all 127.0.0.1/32 sspi include_realm=1
map=regress\n",
hba) >= 0);
+ CW(fputs("host all all ::1/128 sspi include_realm=1 map=regress\n",
+ hba) >= 0);
CW(fclose(hba) == 0);
snprintf(fname, sizeof(fname), "%s/pg_ident.conf", pgdata);
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
