SEO

There's a gripe over here
http://archives.postgresql.org/pgsql...0/msg00640.php
to the effect that PG should not give a message like "password
authentication failure" when the user is attempting to log in as a
NOLOGIN role. This surprised me because there is a specific message
for that, and it worked when I tried it:

regression=# create user foo nologin;
CREATE ROLE
regression=# \c - foo
FATAL: role "foo" is not permitted to log in
Previous connection kept
regression=#

On investigation though, it turns out that it depends on which auth
mode you're using: some of the auth modes look up the user in the
flat password file, and some don't. Now flatfiles.c makes a point of
not entering roles into the flat password file if they are not
rolcanlogin, which means that for password auth you are guaranteed to
fail long before you can get to the explicit check in
InitializeSessionUserId.

We could certainly change flatfiles.c to disregard rolcanlogin, which'd
actually make the code simpler. However, that in itself wouldn't change
the behavior, unless you were to assign a password to the NOLOGIN role
which seems a fairly strange thing to do. I think what the OP wishes
is that "not permitted to log in" would be checked before checking
password validity, and to do that we'd have to add rolcanlogin
to the flat password file and put the check somewhere upstream of the
authentication process.

I am not entirely convinced whether we should do anything about this:
the general theory on authentication failures is that you don't say much
about exactly why it failed, so as to not give a brute-force attacker
any info about whether he gave a valid userid or not. So there's an
argument to be made that the current behavior is what we want. But
I'm pretty sure that it wasn't intentionally designed to act this way.

Comments?

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

On Oct 14, 2007, at 14:34 , Tom Lane wrote:

> I am not entirely convinced whether we should do anything about this:
> the general theory on authentication failures is that you don't say
> much
> about exactly why it failed, so as to not give a brute-force attacker
> any info about whether he gave a valid userid or not. So there's an
> argument to be made that the current behavior is what we want. But
> I'm pretty sure that it wasn't intentionally designed to act this way.

Would there be a difference in how this is logged and how it's
reported to the user? I can see where an admin (having access to
logs) would want to have additional information such as whether a
role login has failed due to not having login privileges or whether
the failure was due to an incorrect role/password pair. I lean
towards less information back to the user as to the nature of the
failure. If the general consensus is to leave the current behavior, a
comment should probably be included to note that the behavior is
intentional.

Michael Glaesemann
grzm seespotcode net



---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> We could certainly change flatfiles.c to disregard rolcanlogin, which'd
> actually make the code simpler. However, that in itself wouldn't change
> the behavior, unless you were to assign a password to the NOLOGIN role
> which seems a fairly strange thing to do. I think what the OP wishes
> is that "not permitted to log in" would be checked before checking
> password validity, and to do that we'd have to add rolcanlogin
> to the flat password file and put the check somewhere upstream of the
> authentication process.

I wonder if the OP was unhappy because he created a role w/ a pw and
then couldn't figure out why the user couldn't log in? I've run into
that in the past and it takes some leg-work to figure out what's going
on. A warning on a 'create role' or 'alter role' command which sets a
password when 'rolcanlogin' is false might be an alternative way to
'fix' this.

In general, I would say that it's correct to say 'invalid
authentication'/'bad pw' until the user is authenticated and then say
'not permitted to log in' if they're not authorized (don't have
rolcanlogin), which is I think what we do. That combined with the
warning above would, I think, cover most of problem cases.

Thanks,

Stephen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHEoFArzgMPqB3kigRAq7CAKCNcr1g+BtXYSCYvMK5Qy eg1YgxtwCdEB/Y
vfeMCx+2hY7n7/+yIiFlhqg=
=q7+6
-----END PGP SIGNATURE-----

Michael Glaesemann <grzm@seespotcode.net> writes:
> Would there be a difference in how this is logged and how it's
> reported to the user?

Not without making all the same infrastructure changes that would be
needed to tell the user something different than now. As things stand,
the password auth code can't tell the difference between a nonexistent
role and a nologin role; neither one has an entry in the flat file.
If we dropped the filtering in flatfiles.c, then a nologin role would
have an entry, but most likely without a password, so you'd still just
see "password auth failed".

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> ... I think what the OP wishes
>> is that "not permitted to log in" would be checked before checking
>> password validity, and to do that we'd have to add rolcanlogin
>> to the flat password file and put the check somewhere upstream of the
>> authentication process.

> I wonder if the OP was unhappy because he created a role w/ a pw and
> then couldn't figure out why the user couldn't log in?

Hm, maybe. In that case just not filtering the entry out of the flat
file would be good enough. In hindsight I'm not sure why we indulged
in that bit of complication anyway --- it seems unlikely that an
installation would have so many nologin roles, compared to regular ones,
that the increase in size of the flat file would be objectionable.

> In general, I would say that it's correct to say 'invalid
> authentication'/'bad pw' until the user is authenticated and then say
> 'not permitted to log in' if they're not authorized (don't have
> rolcanlogin), which is I think what we do.

That *would* be the behavior if we removed the filtering.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

I wrote:
> Stephen Frost <sfrost@snowman.net> writes:
>> I wonder if the OP was unhappy because he created a role w/ a pw and
>> then couldn't figure out why the user couldn't log in?

> Hm, maybe. In that case just not filtering the entry out of the flat
> file would be good enough.

I've confirmed the confusing behavior in CVS HEAD. With password auth
selected in pg_hba.conf:

postgres=# create user foo nologin;
CREATE ROLE
postgres=# \c - foo
Password for user "foo":
FATAL: password authentication failed for user "foo"
Previous connection kept
postgres=# alter user foo password 'foo';
ALTER ROLE
postgres=# \c - foo
Password for user "foo": << correct password entered here
FATAL: password authentication failed for user "foo"
Previous connection kept

With the attached patch to not drop nologin roles from the flat password
file, it acts more sanely:

postgres=# create user foo nologin;
CREATE ROLE
postgres=# \c - foo
Password for user "foo":
FATAL: password authentication failed for user "foo"
Previous connection kept
postgres=# alter user foo password 'foo';
ALTER ROLE
postgres=# \c - foo
Password for user "foo": << correct password entered here
FATAL: role "foo" is not permitted to log in
Previous connection kept

Should we just do this, or is it worth working harder?

regards, tom lane


*** src/backend/utils/init/flatfiles.c.orig Wed Aug 1 18:45:08 2007
--- src/backend/utils/init/flatfiles.c Sun Oct 14 17:14:27 2007
***************
*** 298,304 ****
*
* The format for the flat auth file is
* "rolename" "password" "validuntil" "memberof" "memberof" ...
- * Only roles that are marked rolcanlogin are entered into the auth file.
* Each role's line lists all the roles (groups) of which it is directly
* or indirectly a member, except for itself.
*
--- 298,303 ----
***************
*** 312,318 ****
typedef struct
{
Oid roleid;
- bool rolcanlogin;
char *rolname;
char *rolpassword;
char *rolvaliduntil;
--- 311,316 ----
***************
*** 407,414 ****
tempname)));

/*
! * Read pg_authid and fill temporary data structures. Note we must read
! * all roles, even those without rolcanlogin.
*/
totalblocks = RelationGetNumberOfBlocks(rel_authid);
totalblocks = totalblocks ? totalblocks : 1;
--- 405,411 ----
tempname)));

/*
! * Read pg_authid and fill temporary data structures.
*/
totalblocks = RelationGetNumberOfBlocks(rel_authid);
totalblocks = totalblocks ? totalblocks : 1;
***************
*** 433,439 ****
}

auth_info[curr_role].roleid = HeapTupleGetOid(tuple);
- auth_info[curr_role].rolcanlogin = aform->rolcanlogin;
auth_info[curr_role].rolname = pstrdup(NameStr(aform->rolname));
auth_info[curr_role].member_of = NIL;

--- 430,435 ----
***************
*** 565,574 ****
List *roles_names_list = NIL;
ListCell *mem;

- /* We can skip this for non-login roles */
- if (!auth_info[curr_role].rolcanlogin)
- continue;
-
/*
* This search algorithm is the same as in is_member_of_role; we
* are just working with a different input data structure.
--- 561,566 ----
***************
*** 642,650 ****
for (curr_role = 0; curr_role < total_roles; curr_role++)
{
auth_entry *arole = &auth_info[curr_role];
-
- if (arole->rolcanlogin)
- {
ListCell *mem;

fputs_quote(arole->rolname, fp);
--- 634,639 ----
***************
*** 660,666 ****
}

fputs("\n", fp);
- }
}

if (FreeFile(fp))
--- 649,654 ----

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

http://www.postgresql.org/about/donate

Tom Lane wrote:
>
> Should we just do this, or is it worth working harder?
>
>
>

Not worth more, IMNSHO.

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > Stephen Frost <sfrost@snowman.net> writes:
> >> I wonder if the OP was unhappy because he created a role w/ a pw and
> >> then couldn't figure out why the user couldn't log in?
>
> > Hm, maybe. In that case just not filtering the entry out of the flat
> > file would be good enough.
>
> I've confirmed the confusing behavior in CVS HEAD. With password auth
> selected in pg_hba.conf:
[...]
> Should we just do this, or is it worth working harder?

I certainly like this. Honestly, I'd also like the warning when doing a
'create role'/'alter role' that sets/changes the pw on an account that
doesn't have 'rolcanlogin'. Much better to have me notice that I goof'd
the command and fix it before telling the user 'go ahead and log in'
than to have the user complain that it's not working.

Just my 2c.

Thanks,

Stephen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHEpUkrzgMPqB3kigRAvSDAJ0cl751vGg+kC4v9A2wor gfUHSiVgCfQx5e
702fy8KOV0plyycmSs4UXlA=
=Wozu
-----END PGP SIGNATURE-----

Tom Lane wrote:
> With the attached patch to not drop nologin roles from the flat password
> file, it acts more sanely:
>
> postgres=# create user foo nologin;
> CREATE ROLE
> postgres=# \c - foo
> Password for user "foo":
> FATAL: password authentication failed for user "foo"
> Previous connection kept
> postgres=# alter user foo password 'foo';
> ALTER ROLE
> postgres=# \c - foo
> Password for user "foo": << correct password entered here
> FATAL: role "foo" is not permitted to log in
> Previous connection kept
>
> Should we just do this, or is it worth working harder?

IMHO this is exactly what we want. It does only offer more information when
you already got authentication right and therefore doesn't open an
information leak.

Not sure about the warning when creating a role with a password but
nologin. Could be useful.

Best Regards
Michael Paesold

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

On Sun, Oct 14, 2007 at 06:16:04PM -0400, Stephen Frost wrote:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > > Stephen Frost <sfrost@snowman.net> writes:
> > >> I wonder if the OP was unhappy because he created a role w/ a pw and
> > >> then couldn't figure out why the user couldn't log in?
> >
> > > Hm, maybe. In that case just not filtering the entry out of the flat
> > > file would be good enough.
> >
> > I've confirmed the confusing behavior in CVS HEAD. With password auth
> > selected in pg_hba.conf:
> [...]
> > Should we just do this, or is it worth working harder?
>
> I certainly like this. Honestly, I'd also like the warning when doing a
> 'create role'/'alter role' that sets/changes the pw on an account that
> doesn't have 'rolcanlogin'. Much better to have me notice that I goof'd
> the command and fix it before telling the user 'go ahead and log in'
> than to have the user complain that it's not working.
>
> Just my 2c.

I think that's a good idea. Attached is a patch that implements this (I
think - haven't messed around in that area of the code before). Thoughts?

//Magnus



---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster