Re: [HACKERS] rolcanlogin vs. the flat password file

Wed, 17 Oct 2007 07:50:32 -0700 

On Sun, Oct 14, 2007 at 06:16:04PM -0400, Stephen Frost wrote:
> * Tom Lane ([EMAIL PROTECTED]) wrote:
> > > Stephen Frost <[EMAIL PROTECTED]> writes:
> > >> I wonder if the OP was unhappy because he created a role w/ a pw and
> > >> then couldn't figure out why the user couldn't log in?
> > 
> > > Hm, maybe.  In that case just not filtering the entry out of the flat
> > > file would be good enough.
> > 
> > I've confirmed the confusing behavior in CVS HEAD.  With password auth
> > selected in pg_hba.conf:
> [...]
> > Should we just do this, or is it worth working harder?
> 
> I certainly like this.  Honestly, I'd also like the warning when doing a
> 'create role'/'alter role' that sets/changes the pw on an account that
> doesn't have 'rolcanlogin'.  Much better to have me notice that I goof'd
> the command and fix it before telling the user 'go ahead and log in'
> than to have the user complain that it's not working. :)
> 
> Just my 2c.

I think that's a good idea. Attached is a patch that implements this (I
think - haven't messed around in that area of the code before). Thoughts?

//Magnus


Index: src/backend/commands/user.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/commands/user.c,v
retrieving revision 1.177
diff -c -r1.177 user.c
*** src/backend/commands/user.c 3 Sep 2007 18:46:30 -0000       1.177
--- src/backend/commands/user.c 17 Oct 2007 14:45:33 -0000
***************
*** 250,255 ****
--- 250,260 ----
        if (dvalidUntil)
                validUntil = strVal(dvalidUntil->arg);
  
+       /* Warn about combination that's likely incorrect */
+       if (password && !canlogin)
+               ereport(WARNING,
+                               (errmsg("created user with password that cannot 
log in")));
+       
        /* Check some permissions first */
        if (issuper)
        {
***************
*** 649,654 ****
--- 654,664 ----
                                DirectFunctionCall1(textin, 
CStringGetDatum(encrypted_password));
                }
                new_record_repl[Anum_pg_authid_rolpassword - 1] = 'r';
+               /* Warn about combination that's likely incorrect */
+               if (canlogin == 0 ||
+                   ((((Form_pg_authid) GETSTRUCT(tuple))->rolcanlogin == 0) && 
canlogin != 1))
+                       ereport(WARNING,
+                                       (errmsg("set password for a user that 
cannot log in")));
        }
  
        /* unset password */

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Reply via email to