mirrors
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make the location of the Kerberos server key file run time configurable 

(rather than compile time). For libpq, even when Kerberos support is
compiled in, the default user name should still fall back to geteuid()
if it can't be determined via the Kerberos system.

A couple of fixes for string type configuration parameters, now that there
is one.
This commit is contained in:
Peter Eisentraut 2000-08-25 10:00:35 +00:00
parent 69cf335687
commit 996832caee
11 changed files with 490 additions and 514 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

811
configure vendored
View File

File diff suppressed because it is too large Load Diff

20
configure.in
View File

@ -477,6 +477,8 @@ if test "$with_krb4" = yes ; then
fi fi
dnl Test for these libraries is below dnl Test for these libraries is below
KRB_LIBS="$krb_libdir -lkrb -ldes" KRB_LIBS="$krb_libdir -lkrb -ldes"
krb_srvtab='/etc/srvtab'
fi fi
@ -513,6 +515,8 @@ if test "$with_krb5" = yes ; then
dnl Test for these libraries is below dnl Test for these libraries is below
KRB_LIBS="$krb_libdir -lkrb5 -lcrypto -lcom_err" KRB_LIBS="$krb_libdir -lkrb5 -lcrypto -lcom_err"
krb_srvtab='FILE:$(sysconfdir)/krb5.keytab'
fi fi
@ -521,6 +525,8 @@ if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined]) AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
fi fi
AC_SUBST(krb_srvtab)
dnl Necessary for special libpq link dnl Necessary for special libpq link
AC_SUBST(KRB_LIBS) AC_SUBST(KRB_LIBS)
@ -537,20 +543,6 @@ fi],
[krb_srvnam="postgres"]) [krb_srvnam="postgres"])
AC_DEFINE_UNQUOTED(PG_KRB_SRVNAM, ["$krb_srvnam"], [The name of the Postgres service principal]) AC_DEFINE_UNQUOTED(PG_KRB_SRVNAM, ["$krb_srvnam"], [The name of the Postgres service principal])
AC_ARG_WITH(krb-srvtab, [ --with-krb-srvtab=FILE location of Kerberos server's keytab file],
[if test x"$withval" = x"yes"; then
AC_MSG_ERROR([argument required for --with-krb-srvtab])
else
krb_srvtab=$withval
fi],
[if test "$with_krb5" = yes ; then
krb_srvtab='FILE:${sysconfdir}/krb5.keytab'
elif test "$with_krb4" = yes ; then
krb_srvtab='/etc/srvtab'
else
krb_srvtab=
fi])
AC_SUBST(krb_srvtab)
# #

18
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.3 2000/07/15 21:35:47 petere Exp $ --> <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.4 2000/08/25 10:00:29 petere Exp $ -->
<chapter id="client-authentication"> <chapter id="client-authentication">
<title>Client Authentication</title> <title>Client Authentication</title>
@ -341,7 +341,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
</sect2> </sect2>
<sect2> <sect2 id="kerberos-auth">
<title>Kerberos authentication</title> <title>Kerberos authentication</title>
<para> <para>
@ -369,13 +369,15 @@ host all 192.168.2.0 255.255.255.0 ident othermap
<productname>Postgres</> should operate like a normal Kerberos <productname>Postgres</> should operate like a normal Kerberos
service. The name of the service principal is normally service. The name of the service principal is normally
<literal>postgres</literal>, unless it was changed during the <literal>postgres</literal>, unless it was changed during the
build. Make sure that your server keytab file is readable (and build. Make sure that your server key file is readable (and
preferrably only readable) by the Postgres server account (see preferrably only readable) by the Postgres server account (see
<xref linkend="postgres-user">). The location of the keytab file <xref linkend="postgres-user">). The location of the key file
is specified at build time; by default it is is specified with the <varname>krb_server_keyfile</> run time
<filename>/etc/srvtab</filename> in Kerberos 4 and configuration parameter. (See also <xref linkend="runtime-config">.)
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> in The default is <filename>/etc/srvtab</> if you are using Kerberos 4
Kerberos 5. and <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</> (or whichever
directory was specified as <varname>sysconfdir</> at build time)
with Kerberos 5.
</para> </para>
<para> <para>

18
doc/src/sgml/installation.sgml
View File

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.13 2000/07/22 14:48:01 petere Exp $ --> <!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.14 2000/08/25 10:00:29 petere Exp $ -->
<chapter id="installation"> <chapter id="installation">
<title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title> <title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
@ -577,27 +577,13 @@ su - postgres
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>--with-krb-srvtab=<replaceable>FILE</></term>
<listitem>
<para>
Specifies the location of the Kerberos server shared key file
(<quote>srvtab</>). If you are using Kerberos 4, this
defaults to <filename>/etc/srvtab</>, with Kerberos 5 to
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</>, or
equivalent, depending on what you set <option>--sysconfdir</>
to above.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>--enable-syslog</term> <term>--enable-syslog</term>
<listitem> <listitem>
<para> <para>
Enables the <productname>PostgreSQL</> server to use the Enables the <productname>PostgreSQL</> server to use the
syslog logging facility. (Using this option does not mean syslog logging facility. (Using this option does not mean
that you have to log with syslog or even that it will be done that you will have to log with syslog or even that it will be done
by default, it simply makes it possible to turn this option by default, it simply makes it possible to turn this option
on at run time.) on at run time.)
</para> </para>

12
doc/src/sgml/runtime.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.18 2000/08/11 18:31:06 tgl Exp $ $Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.19 2000/08/25 10:00:29 petere Exp $
--> -->
<Chapter Id="runtime"> <Chapter Id="runtime">
@ -898,6 +898,16 @@ env PGOPTIONS='--geqo=off' psql
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>KRB_SERVER_KEYFILE</>
<listitem>
<para>
Sets the location of the Kerberos server key file. See
<xref linkend="kerberos-auth"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>MAX_CONNECTIONS (<type>integer</type>)</term> <term>MAX_CONNECTIONS (<type>integer</type>)</term>
<listitem> <listitem>

11
src/backend/libpq/Makefile
View File

@ -4,13 +4,13 @@
# Makefile for libpq subsystem (backend half of libpq interface) # Makefile for libpq subsystem (backend half of libpq interface)
# #
# IDENTIFICATION # IDENTIFICATION
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.23 2000/07/09 13:48:45 petere Exp $ # $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.24 2000/08/25 10:00:30 petere Exp $
# #
#------------------------------------------------------------------------- #-------------------------------------------------------------------------
subdir = src/backend/libpq subdir = src/backend/libpq
top_builddir = ../../.. top_builddir = ../../..
include ../../Makefile.global include $(top_builddir)/src/Makefile.global
# be-fsstubs is here for historical reasons, probably belongs elsewhere # be-fsstubs is here for historical reasons, probably belongs elsewhere
@ -18,12 +18,6 @@ OBJS = be-fsstubs.o \
auth.o crypt.o hba.o password.o \ auth.o crypt.o hba.o password.o \
pqcomm.o pqformat.o pqpacket.o pqsignal.o util.o pqcomm.o pqformat.o pqpacket.o pqsignal.o util.o
# This location might depend on the installation directories. Therefore
# we can't subsitute it into config.h.
ifdef krb_srvtab
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
endif
all: SUBSYS.o all: SUBSYS.o
@ -39,4 +33,3 @@ clean:
ifeq (depend,$(wildcard depend)) ifeq (depend,$(wildcard depend))
include depend include depend
endif endif

13
src/backend/libpq/auth.c
View File

@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.48 2000/07/04 16:31:53 petere Exp $ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.49 2000/08/25 10:00:30 petere Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -51,6 +51,9 @@ static int map_old_to_new(Port *port, UserAuth old, int status);
static void auth_failed(Port *port); static void auth_failed(Port *port);
char * pg_krb_server_keyfile;
#ifdef KRB4 #ifdef KRB4
/*---------------------------------------------------------------- /*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 4 * MIT Kerberos authentication system - protocol version 4
@ -89,7 +92,7 @@ pg_krb4_recvauth(Port *port)
&port->raddr.in, &port->raddr.in,
&port->laddr.in, &port->laddr.in,
&auth_data, &auth_data,
PG_KRB_SRVTAB, pg_krb_server_keyfile,
key_sched, key_sched,
version); version);
if (status != KSUCCESS) if (status != KSUCCESS)
@ -197,13 +200,13 @@ pg_krb5_init(void)
return STATUS_ERROR; return STATUS_ERROR;
} }
retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab); retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
if (retval) { if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH, snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_kt_resolve returned" "pg_krb5_init: krb5_kt_resolve returned"
" Kerberos error %d\n", retval); " Kerberos error %d\n", retval);
com_err("postgres", retval, "while resolving keytab file %s", com_err("postgres", retval, "while resolving keytab file %s",
PG_KRB_SRVTAB); pg_krb_server_keyfile);
krb5_free_context(pg_krb5_context); krb5_free_context(pg_krb5_context);
return STATUS_ERROR; return STATUS_ERROR;
} }
@ -216,7 +219,7 @@ pg_krb5_init(void)
" Kerberos error %d\n", retval); " Kerberos error %d\n", retval);
com_err("postgres", retval, com_err("postgres", retval,
"while getting server principal for service %s", "while getting server principal for service %s",
PG_KRB_SRVTAB); pg_krb_server_keyfile);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab); krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context); krb5_free_context(pg_krb5_context);
return STATUS_ERROR; return STATUS_ERROR;

22
src/backend/utils/misc/Makefile
View File

@ -1,18 +1,18 @@
#------------------------------------------------------------------------- # $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.17 2000/08/25 10:00:31 petere Exp $
#
# Makefile--
# Makefile for utils/misc
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.16 2000/06/04 01:44:34 petere Exp $
#
#-------------------------------------------------------------------------
SRCDIR = ../../.. subdir = src/backend/utils/misc
include $(SRCDIR)/Makefile.global top_builddir = ../../../..
include $(top_builddir)/src/Makefile.global
OBJS = database.o superuser.o guc.o guc-file.o ps_status.o OBJS = database.o superuser.o guc.o guc-file.o ps_status.o
# This location might depend on the installation directories. Therefore
# we can't subsitute it into config.h.
ifdef krb_srvtab
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
endif
all: SUBSYS.o all: SUBSYS.o
SUBSYS.o: $(OBJS) SUBSYS.o: $(OBJS)

29
src/backend/utils/misc/guc.c
View File

@ -4,7 +4,7 @@
* Support for grand unified configuration scheme, including SET * Support for grand unified configuration scheme, including SET
* command, configuration file, and command line options. * command, configuration file, and command line options.
* *
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.8 2000/08/11 18:31:10 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.9 2000/08/25 10:00:31 petere Exp $
* *
* Copyright 2000 by PostgreSQL Global Development Group * Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
@ -21,6 +21,7 @@
#include "utils/guc.h" #include "utils/guc.h"
#include "commands/async.h" #include "commands/async.h"
#include "libpq/auth.h"
#include "miscadmin.h" #include "miscadmin.h"
#include "optimizer/cost.h" #include "optimizer/cost.h"
#include "optimizer/geqo.h" #include "optimizer/geqo.h"
@ -54,6 +55,11 @@ bool Show_btree_build_stats = false;
bool SQL_inheritance = true; bool SQL_inheritance = true;
#ifndef PG_KRB_SRVTAB
# define PG_KRB_SRVTAB ""
#endif
enum config_type enum config_type
{ {
@ -113,7 +119,7 @@ struct config_string
{ {
const char *name; const char *name;
GucContext context; GucContext context;
char *variable; char **variable;
const char *default_val; const char *default_val;
bool (*parse_hook)(const char *); bool (*parse_hook)(const char *);
}; };
@ -273,7 +279,8 @@ ConfigureNamesReal[] =
static struct config_string static struct config_string
ConfigureNamesString[] = ConfigureNamesString[] =
{ {
/* none so far */ {"krb_server_keyfile", PGC_USERSET, &pg_krb_server_keyfile,
PG_KRB_SRVTAB, NULL},
{NULL, 0, NULL, NULL, NULL} {NULL, 0, NULL, NULL, NULL}
}; };
@ -323,7 +330,7 @@ find_option(const char * name, struct config_generic ** record)
{ {
if (record) if (record)
*record = (struct config_generic *)&ConfigureNamesString[i]; *record = (struct config_generic *)&ConfigureNamesString[i];
return PGC_REAL; return PGC_STRING;
} }
return PGC_NONE; return PGC_NONE;
@ -349,7 +356,7 @@ ResetAllOptions(void)
for (i = 0; ConfigureNamesReal[i].name; i++) for (i = 0; ConfigureNamesReal[i].name; i++)
*(ConfigureNamesReal[i].variable) = ConfigureNamesReal[i].default_val; *(ConfigureNamesReal[i].variable) = ConfigureNamesReal[i].default_val;
for (i = 0; ConfigureNamesString[i].name; i++) for (i = 0; ConfigureNamesString[i].name; i++)
{ {
char * str = NULL; char * str = NULL;
@ -359,7 +366,7 @@ ResetAllOptions(void)
if (str == NULL) if (str == NULL)
elog(ERROR, "out of memory"); elog(ERROR, "out of memory");
} }
ConfigureNamesString[i].variable = str; *(ConfigureNamesString[i].variable) = str;
} }
if (getenv("PGPORT")) if (getenv("PGPORT"))
@ -650,8 +657,8 @@ set_config_option(const char * name, const char * value, GucContext
elog(elevel, "out of memory"); elog(elevel, "out of memory");
return false; return false;
} }
free(conf->variable); free(*conf->variable);
conf->variable = str; *conf->variable = str;
} }
} }
else if (DoIt) else if (DoIt)
@ -664,8 +671,8 @@ set_config_option(const char * name, const char * value, GucContext
elog(elevel, "out of memory"); elog(elevel, "out of memory");
return false; return false;
} }
free(conf->variable); free(*conf->variable);
conf->variable = str; *conf->variable = str;
} }
break; break;
} }
@ -725,7 +732,7 @@ GetConfigOption(const char * name)
return buffer; return buffer;
case PGC_STRING: case PGC_STRING:
return ((struct config_string *)record)->variable; return *((struct config_string *)record)->variable;
default: default:
; ;

4
src/include/libpq/auth.h
View File

@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $Id: auth.h,v 1.13 2000/01/26 05:58:11 momjian Exp $ * $Id: auth.h,v 1.14 2000/08/25 10:00:33 petere Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -26,4 +26,6 @@ void be_recvauth(Port *port);
#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ #define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
#define PG_KRB5_VERSION "PGVER5.1" #define PG_KRB5_VERSION "PGVER5.1"
extern char * pg_krb_server_keyfile;
#endif /* AUTH_H */ #endif /* AUTH_H */

46
src/interfaces/libpq/fe-auth.c
View File

@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.43 2000/06/17 00:10:09 petere Exp $ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.44 2000/08/25 10:00:35 petere Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -565,41 +565,37 @@ fe_getauthname(char *PQerrormsg)
MsgType authsvc; MsgType authsvc;
authsvc = fe_getauthsvc(PQerrormsg); authsvc = fe_getauthsvc(PQerrormsg);
switch ((int) authsvc)
{
#ifdef KRB4 #ifdef KRB4
case STARTUP_KRB4_MSG: if (authsvc == STARTUP_KRB4_MSG)
name = pg_krb4_authname(PQerrormsg); name = pg_krb4_authname(PQerrormsg);
break;
#endif #endif
#ifdef KRB5 #ifdef KRB5
case STARTUP_KRB5_MSG: if (authsvc == STARTUP_KRB5_MSG)
name = pg_krb5_authname(PQerrormsg); name = pg_krb5_authname(PQerrormsg);
break;
#endif #endif
case STARTUP_MSG:
{ if (authsvc == STARTUP_MSG
|| (authsvc == STARTUP_KRB4_MSG && !name)
|| (authsvc == STARTUP_KRB5_MSG && !name))
{
#ifdef WIN32 #ifdef WIN32
char username[128]; char username[128];
DWORD namesize = sizeof(username) - 1; DWORD namesize = sizeof(username) - 1;
if (GetUserName(username, &namesize)) if (GetUserName(username, &namesize))
name = username; name = username;
#else #else
struct passwd *pw = getpwuid(geteuid()); struct passwd *pw = getpwuid(geteuid());
if (pw) if (pw)
name = pw->pw_name; name = pw->pw_name;
#endif #endif
}
break;
default:
(void) sprintf(PQerrormsg,
"fe_getauthname: invalid authentication system: %d\n",
authsvc);
break;
} }
if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
sprintf(PQerrormsg,"fe_getauthname: invalid authentication system: %d\n", authsvc);
if (name && (authn = (char *) malloc(strlen(name) + 1))) if (name && (authn = (char *) malloc(strlen(name) + 1)))
strcpy(authn, name); strcpy(authn, name);
return authn; return authn;