From: Bernd Helmle Date: Thu, 16 Apr 2015 13:29:35 +0000 (+0200) Subject: Add configure option --without-trust-auth and --without-ident-auth. X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=cb5ef4c09ea1ab8fc30622c893c513b22cc98514;p=users%2Fbernd%2Fpostgres.git Add configure option --without-trust-auth and --without-ident-auth. These configure options allows to disable trust and ident authentication at compile time. Also peer is used per default instead of trust in initdb when using these compile options. --- diff --git a/configure b/configure index 7c0bd0c696..bd80b469f2 100755 --- a/configure +++ b/configure @@ -824,6 +824,8 @@ with_tcl with_tclconfig with_perl with_python +with_trust_auth +with_ident_auth with_gssapi with_krb_srvnam with_pam @@ -1511,6 +1513,8 @@ Optional Packages: --with-tclconfig=DIR tclConfig.sh is in DIR --with-perl build Perl modules (PL/Perl) --with-python build Python modules (PL/Python) + --without-trust-auth build with trust authentication support + --without-ident-auth build with ident authentication support --with-gssapi build with GSSAPI support --with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI) [postgres] @@ -5413,6 +5417,88 @@ fi $as_echo "$with_python" >&6; } +# +# Enable Trust authentication +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with trust authentication support" >&5 +$as_echo_n "checking whether to build with trust authentication support... " >&6; } + + + +# Check whether --with-trust-auth was given. +if test "${with_trust_auth+set}" = set; then : + withval=$with_trust_auth; + case $withval in + yes) + + +$as_echo "#define WITH_TRUST 1" >>confdefs.h + + + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-trust-auth option" "$LINENO" 5 + ;; + esac + +else + with_trust_auth=yes + + +$as_echo "#define WITH_TRUST 1" >>confdefs.h + + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_trust_auth" >&5 +$as_echo "$with_trust_auth" >&6; } + +# +# Enable Ident authentication +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with ident authentication support" >&5 +$as_echo_n "checking whether to build with ident authentication support... " >&6; } + + + +# Check whether --with-ident-auth was given. +if test "${with_ident_auth+set}" = set; then : + withval=$with_ident_auth; + case $withval in + yes) + + +$as_echo "#define WITH_IDENT 1" >>confdefs.h + + + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-ident-auth option" "$LINENO" 5 + ;; + esac + +else + with_ident_auth=yes + + +$as_echo "#define WITH_IDENT 1" >>confdefs.h + + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_ident_auth" >&5 +$as_echo "$with_ident_auth" >&6; } + # # GSSAPI # diff --git a/configure.in b/configure.in index 1cd9e1eb46..a823571f25 100644 --- a/configure.in +++ b/configure.in @@ -625,6 +625,28 @@ PGAC_ARG_BOOL(with, python, no, [build Python modules (PL/Python)]) AC_MSG_RESULT([$with_python]) AC_SUBST(with_python) +# +# Enable Trust authentication +# + +AC_MSG_CHECKING([whether to build with trust authentication support]) +PGAC_ARG_BOOL(with, trust-auth, yes, [build with trust authentication support], +[ + AC_DEFINE(WITH_TRUST, 1, [Define to build with trust authentication support. (--without-trust-auth)]) +]) +AC_MSG_RESULT([$with_trust_auth]) + +# +# Enable Ident authentication +# + +AC_MSG_CHECKING([whether to build with ident authentication support]) +PGAC_ARG_BOOL(with, ident-auth, yes, [build with ident authentication support], +[ + AC_DEFINE(WITH_IDENT, 1, [Define to build with ident authentication support. (--without-ident-auth)]) +]) +AC_MSG_RESULT([$with_ident_auth]) + # # GSSAPI # diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 4968e09c99..2a492833f4 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -756,6 +756,30 @@ su - postgres + + + + + Build without support for trust authentication. Trust authentication + is useful on standalone systems but may lead to serious security + issues when not used properly. This switch disables the trust keyword + in the pg_hba.conf file. + + + + + + + + + Build without support for ident authentication. Ident authentication + is useful for some specific setups but may generally lead to serious security + issues when not used properly. This switch disables the ident keyword + in the pg_hba.conf file. + + + + diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index a0f5396036..33b55397d8 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1150,9 +1150,17 @@ parse_hba_line(List *line, int line_num, char *raw_line) unsupauth = NULL; if (strcmp(token->string, "trust") == 0) +#ifdef WITH_TRUST parsedline->auth_method = uaTrust; +#else + unsupauth = "trust"; +#endif else if (strcmp(token->string, "ident") == 0) +#ifdef WITH_IDENT parsedline->auth_method = uaIdent; +#else + unsupauth = "ident"; +#endif else if (strcmp(token->string, "peer") == 0) parsedline->auth_method = uaPeer; else if (strcmp(token->string, "password") == 0) diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 86949209b0..5541a9cfbf 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -71,7 +71,15 @@ /* Ideally this would be in a .h file, but it hardly seems worth the trouble */ extern const char *select_default_timezone(const char *share_path); -static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", "ident", "radius", +static const char *auth_methods_host[] = { +#ifdef WITH_TRUST +"trust", +#endif +"md5", "reject", "password", +#ifdef WITH_IDENT +"ident", +#endif +"radius", #ifdef ENABLE_GSS "gss", #endif @@ -88,7 +96,11 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", "cert", #endif NULL}; -static const char *auth_methods_local[] = {"trust", "reject", "md5", "password", "peer", "radius", +static const char *auth_methods_local[] = { +#ifdef WITH_TRUST +"trust", +#endif +"peer", "reject", "md5", "password", "radius", #ifdef USE_PAM "pam", "pam ", #endif @@ -2790,14 +2802,25 @@ usage(const char *progname) } static void -check_authmethod_unspecified(const char **authmethod) +check_authmethod_unspecified(const char **authmethod, const char *conntype) { if (*authmethod == NULL || strlen(*authmethod) == 0) { +#ifdef WITH_TRUST authwarning = _("\nWARNING: enabling \"trust\" authentication for local connections\n" "You can change this by editing pg_hba.conf or using the option -A, or\n" "--auth-local and --auth-host, the next time you run initdb.\n"); *authmethod = "trust"; +#else + if (strcmp(conntype, "local") == 0) { + authwarning = _("\nWARNING: enabling \"peer\" authentication for local connections\n" + "You can change this by editing pg_hba.conf or using the option -A, or\n" + "--auth-local and --auth-host, the next time you run initdb.\n"); + *authmethod = "peer"; + } else { + *authmethod = "md5"; + } +#endif } } @@ -3586,8 +3609,8 @@ main(int argc, char *argv[]) exit(1); } - check_authmethod_unspecified(&authmethodlocal); - check_authmethod_unspecified(&authmethodhost); + check_authmethod_unspecified(&authmethodlocal, "local"); + check_authmethod_unspecified(&authmethodhost, "host"); check_authmethod_valid(authmethodlocal, auth_methods_local, "local"); check_authmethod_valid(authmethodhost, auth_methods_host, "host"); diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 5688f750af..888d29bc03 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -51,6 +51,12 @@ /* Define to build with GSSAPI support. (--with-gssapi) */ #undef ENABLE_GSS +/* Define to build with trust authentication turned on (default, --without-trust-auth to turn off) */ +#undef WITH_TRUST + +/* Define to build with ident authentication turned on (default, --without-ident-auth to turn off) */ +#undef WITH_IDENT + /* Define to 1 if you want National Language Support. (--enable-nls) */ #undef ENABLE_NLS