Re: [PHP] authentication question

Cath Lawrence wrote:

> Hi,
>
> Not sure if this is a novice or a PHP question; so I sent it to both.
>
> Anyway, I can't seem to deny access to my database through the web
> server/PHP connection...
>
> In my pg_hba.conf, at the top, before getting to the real databases,
> I have:
> # temporary, cath testing access on example
> local temp all reject
> host temp all 127.0.0.1 255.255.255.255 reject
> host temp all 0.0.0.0 255.255.255.255 reject
>
> Command line psql won't let me connect to temp - so far so good.
> But when I use PHP's pg_connect with host, dbname, username, password
> specified, it lets me through. It does fail non-users or bad passwords
> - but all existing postgresql users seem to be able to make the
> connection regardless.
>
> What have I missed? Ultimately, I am trying to set this up so only
> specific known users can connect to my database from particular hosts.

Cath,

I'm not sure if this will help you or not, but try adding this to the
bottom (seen this as a common practice)

# reject all connections from all hosts not granted above
host all 0.0.0.0 0.0.0.0 reject

-Robby

--

Robby Russell, Sr. Administrator / Lead Programmer
Command Prompt, Inc.
rrussell(at)commandprompt(dot)com
http://www.commandprompt.com (503) 222.2783

Cath Lawrence wrote:

> On Thursday, August 7, 2003, at 01:12 PM, Robby Russell wrote:
>
>> Cath Lawrence wrote:
>> I'm not sure if this will help you or not, but try adding this to the
>> bottom (seen this as a common practice)
>> # reject all connections from all hosts not granted above
>> host all 0.0.0.0 0.0.0.0 reject
>
>
> D'oh! That does it. Thanks Robby.
> Blindly copy'n'paste-ing a line with the wrong netmask did NOT help!
>
> But while I'm here - how does PHP connect? If rejecting connections
> from the local machine and from 127.0.0.1 didn't do the trick, why
> not? (Or is that getting into network issues and I needed the host's
> IP address?)

Cath,
It depends, is the php (on apache I assume) running on the same machine?
If it is, than usually rejecting 127.0.0.1 will do the trick (given that
the /etc/hosts file has an entry for localhost). If it's a remote
connection, than you will need to look at all your configuration
settings to try and determine this issue.

Glad that other bit of info helped though.

--
Robby Russell, | Sr. Administrator / Lead Programmer
Command Prompt, Inc. | http://www.commandprompt.com
rrussell(at)commandprompt(dot)com | Telephone: (503) 222.2783

Hi,

Not sure if this is a novice or a PHP question; so I sent it to both.

Anyway, I can't seem to deny access to my database through the web
server/PHP connection...

In my pg_hba.conf, at the top, before getting to the real databases, I
have:
# temporary, cath testing access on example
local temp all reject
host temp all 127.0.0.1 255.255.255.255 reject
host temp all 0.0.0.0 255.255.255.255 reject

Command line psql won't let me connect to temp - so far so good.
But when I use PHP's pg_connect with host, dbname, username, password
specified, it lets me through. It does fail non-users or bad passwords
- but all existing postgresql users seem to be able to make the
connection regardless.

What have I missed? Ultimately, I am trying to set this up so only
specific known users can connect to my database from particular hosts.

thanks for any help,
regards
Cath
Cath Lawrence, Cath(dot)Lawrence(at)anu(dot)edu(dot)au
Senior Scientific Programmer, Centre for Bioinformation Science,
John Curtin School of Medical Research (room 4088)
Australian National University, Canberra ACT 0200
ph: (02) 61257959 mobile: 0421-902694 fax: (02) 61252595

On Thursday, August 7, 2003, at 01:12 PM, Robby Russell wrote:
> Cath Lawrence wrote:
> I'm not sure if this will help you or not, but try adding this to the
> bottom (seen this as a common practice)
> # reject all connections from all hosts not granted above
> host all 0.0.0.0 0.0.0.0 reject

D'oh! That does it. Thanks Robby.
Blindly copy'n'paste-ing a line with the wrong netmask did NOT help!

But while I'm here - how does PHP connect? If rejecting connections
from the local machine and from 127.0.0.1 didn't do the trick, why not?
(Or is that getting into network issues and I needed the host's IP
address?)

thanks again
Cath
Cath Lawrence, Cath(dot)Lawrence(at)anu(dot)edu(dot)au
Senior Scientific Programmer, Centre for Bioinformation Science,
John Curtin School of Medical Research (room 4088)
Australian National University, Canberra ACT 0200
ph: (02) 61257959 mobile: 0421-902694 fax: (02) 61252595

> But while I'm here - how does PHP connect? If rejecting connections
> from the local machine and from 127.0.0.1 didn't do the trick, why not?
> (Or is that getting into network issues and I needed the host's IP
> address?)

PHP is probably using a Unix domain socket (eg. /tmp/pgsql.1321 or
something), and not using an actual TCP/IP connection.

Chris

Robby Russell <rrussell(at)commandprompt(dot)com> writes:
> I'm not sure if this will help you or not, but try adding this to the
> bottom (seen this as a common practice)

> # reject all connections from all hosts not granted above
> host all 0.0.0.0 0.0.0.0 reject

This is unnecessary --- if the postmaster falls off the end of the file
without a match, it defaults to "reject". Nothing wrong with having
such a line for documentation purposes, but it shouldn't change the
behavior one bit.

My guess about Cath's original problem is that the lines she showed us
only controlled attempted connections to the "temp" database ... not to
any other database. If she had more lines later in the file, those
would be consulted for any connection to a database not named "temp".

Another common mistake (been burnt this way more than once) is to forget
to SIGHUP the postmaster (eg, pg_ctl reload) after editing the config
file. You can get *really* confused if you are trying different things
and sometimes you remember to SIGHUP and sometimes you don't.

regards, tom lane