Re: Upcoming re-releases

The core committee has agreed that it's about time for a new set of
update releases (8.1.3, 8.0.7, etc). Barring surprises, we'll wrap
Sunday evening with expectation of general announcement Tuesday.
Any pending patches out there for the back branches?

regards, tom lane

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> The core committee has agreed that it's about time for a new set of
> update releases (8.1.3, 8.0.7, etc). Barring surprises, we'll wrap
> Sunday evening with expectation of general announcement Tuesday.
> Any pending patches out there for the back branches?

I'd really like to see the multiple DB connections with different
Kerberos credentials go in to 8.1.3. It solved the problem we were
having authenticating to PostgreSQL using Kerberos from Apache. We were
also able to get phppgadmin to use Kerberos authentication with this
patch (which is very nice). That patch also went into the 8.1.2-2
release of the Debian packages (along with the pg_restore patch which
was already committed to CVS). Havn't heard of any problems with it so
far, though 8.1.2-2 only hit the Debian mirrors yesterday.

Thanks!

Stephen

Hi,

On Wed, 2006-02-08 at 11:28 -0500, Stephen Frost wrote:

> I'd really like to see the multiple DB connections with different
> Kerberos credentials go in to 8.1.3. It solved the problem we were
> having authenticating to PostgreSQL using Kerberos from Apache. We were
> also able to get phppgadmin to use Kerberos authentication with this
> patch (which is very nice). That patch also went into the 8.1.2-2
> release of the Debian packages

[OT]
So Debian has a patch that is not in 8.1.2? I can't believe that they
are doing that -- personally I'm against to add any patch into binaries
that is not in the core.
[/OT]

Regards,
--
The PostgreSQL Company - Command Prompt, Inc. 1.503.667.4564
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Managed Services, Shared and Dedicated Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/

* Devrim GUNDUZ (devrim(at)commandprompt(dot)com) wrote:
> On Wed, 2006-02-08 at 11:28 -0500, Stephen Frost wrote:
> > I'd really like to see the multiple DB connections with different
> > Kerberos credentials go in to 8.1.3. It solved the problem we were
> > having authenticating to PostgreSQL using Kerberos from Apache. We were
> > also able to get phppgadmin to use Kerberos authentication with this
> > patch (which is very nice). That patch also went into the 8.1.2-2
> > release of the Debian packages
>
> [OT]
> So Debian has a patch that is not in 8.1.2? I can't believe that they
> are doing that -- personally I'm against to add any patch into binaries
> that is not in the core.
> [/OT]

Guess you don't use Debian much.

Thanks,

Stephen

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> Any pending patches out there for the back branches?

> I'd really like to see the multiple DB connections with different
> Kerberos credentials go in to 8.1.3.

That's a new feature, not a bug fix. I'd be against back-patching it
even if it had been in HEAD long enough to get some meaningful amount
of testing ... and since it's not even in HEAD yet ...

regards, tom lane

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> >> Any pending patches out there for the back branches?
>
> > I'd really like to see the multiple DB connections with different
> > Kerberos credentials go in to 8.1.3.
>
> That's a new feature, not a bug fix. I'd be against back-patching it
> even if it had been in HEAD long enough to get some meaningful amount
> of testing ... and since it's not even in HEAD yet ...

It's a bug. PostgreSQL properly supports using different authentication
credentials across seperate pg_connect()'s for all of the other
authentication types. The only reason it doesn't for Kerberos is because
of improper use of static variables which aren't reset between the
authentication requests. The patch fixes this and cleans up the
static variable handling.

Thanks,

Stephen

* Devrim GUNDUZ (devrim(at)commandprompt(dot)com) wrote:
> [OT]
> So Debian has a patch that is not in 8.1.2? I can't believe that they
> are doing that -- personally I'm against to add any patch into binaries
> that is not in the core.
> [/OT]

And it's days like these that make me happy to be running Debian. My
thanks go to Martin for his excellent work.

Enjoy,

Stephen

On Wed, 8 Feb 2006, Tom Lane wrote:

> The core committee has agreed that it's about time for a new set of
> update releases (8.1.3, 8.0.7, etc). Barring surprises, we'll wrap
> Sunday evening with expectation of general announcement Tuesday.
> Any pending patches out there for the back branches?
>

I still think this should be applied to back branches. The patches queue
is really quite a bit behind.

http://archives.postgresql.org/pgsql-hackers/2006-01/msg00175.php

Kris Jurka

>[OT]
>So Debian has a patch that is not in 8.1.2? I can't believe that they
>are doing that -- personally I'm against to add any patch into binaries
>that is not in the core.
>[/OT]
>
>
>
This is not a Debian thing. Lots of distributions do it. I wouldn't be
surprised
if RedHat did it as well.

Joshua D. Drake

>Regards,
>
>

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
>
> >[OT]
> >So Debian has a patch that is not in 8.1.2? I can't believe that they
> >are doing that -- personally I'm against to add any patch into binaries
> >that is not in the core.
> >[/OT]
> >
> This is not a Debian thing. Lots of distributions do it. I wouldn't be
> surprised
> if RedHat did it as well.

I'm not sure they do but they're not really a fair comparison as they
have a somewhat privileged position due to Tom (not that I'm
complaining, honestly I think it's wonderful that RH has an apparently
dedicated person for Postgres and it's outstanding that it's someone as
intelligent and knowledgable as Tom). It's certainly not uncommon for
distributions in general to patch programs which make them not-quite
pure upstream. Then again, just a recompile can break things too so
it's not like pristine source is always an option. It's also true, as
has been pointed out before, that Debian uses --enable-integer-datetimes
(or whatever the flag is) which isn't enabled by default. For the vast
majority of Debian users this is correct and better than the default but
it does mean that a PostgreSQL default-options compile will generate a
postmaster that can't work with Debian data files. Then again, if you
omit --enable-krb5 and the Debian package doesn't then if you move to a
default-compiled version you might not be able to authenticate to your
database anymore either.

Thanks,

Stephen

On Wed, Feb 08, 2006 at 06:36:10PM +0200, Devrim GUNDUZ wrote:
> On Wed, 2006-02-08 at 11:28 -0500, Stephen Frost wrote:
>
> > I'd really like to see the multiple DB connections with different
> > Kerberos credentials go in to 8.1.3. It solved the problem we were
> > having authenticating to PostgreSQL using Kerberos from Apache. We were
> > also able to get phppgadmin to use Kerberos authentication with this
> > patch (which is very nice). That patch also went into the 8.1.2-2
> > release of the Debian packages
>
> [OT]
> So Debian has a patch that is not in 8.1.2? I can't believe that they
> are doing that -- personally I'm against to add any patch into binaries
> that is not in the core.
> [/OT]

Debian had the patch to enable ident over unix domain sockets well
before core did. So long that I didn't even realise it was a patch
until I compiled my own version. The patch had been submitted upstream
but fell between the cracks. As a Debian user it something I like.

The changelog entry says:

* Add debian/patches/12-krb5-multiusers.patch:
- Fix krb5 credential handling in libpq for multiple connections with
different users: Don't keep credentials in global variables, but pass
them around in a new krb5_info struct.
- Patch from Stephen Frost, proposed to be adopted upstream.

I consider it a form of preventative bug fixing. Somebody on Debian is
bound to complain about it sooner or later, so may as well fix it now.
There is a group who likes having kerberos working properly...

I imagine if a similar bug affected SSL connections, people would be
jumping up and down to have it fixed.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> On Wed, Feb 08, 2006 at 06:36:10PM +0200, Devrim GUNDUZ wrote:
>> So Debian has a patch that is not in 8.1.2? I can't believe that they
>> are doing that -- personally I'm against to add any patch into binaries
>> that is not in the core.

> I consider it a form of preventative bug fixing.

As against which, you have to consider the probability that the Debian
patch breaks something. With a maintainer who is not one of the main PG
developers accepting patches that haven't yet been reviewed (much less
beta-tested) by the community, that risk seems far from negligible.

(Now Red Hat certainly also puts in patches that aren't yet released
upstream, but we try to avoid getting ahead of upstream patch development.)

regards, tom lane

>> [OT]
>> So Debian has a patch that is not in 8.1.2? I can't believe that they
>> are doing that -- personally I'm against to add any patch into binaries
>> that is not in the core.
>> [/OT]
>
> And it's days like these that make me happy to be running Debian. My
> thanks go to Martin for his excellent work.

Heh don't log into #postgresql then - we have all pretty much been
convinced after years of newbie support that Debian is the son of the
devil when it comes to PostgreSQL :)

Chris

Devrim GUNDUZ wrote:
>
> So Debian has a patch that is not in 8.1.2? I can't believe that they
> are doing that -- personally I'm against to add any patch into binaries
> that is not in the core.

I think the other important thing to consider is that this patch went
into debian's unstable branch, not stable.

Kris Jurka

* Christopher Kings-Lynne (chriskl(at)familyhealth(dot)com(dot)au) wrote:
> >>[OT]
> >>So Debian has a patch that is not in 8.1.2? I can't believe that they
> >>are doing that -- personally I'm against to add any patch into binaries
> >>that is not in the core.
> >>[/OT]
> >
> >And it's days like these that make me happy to be running Debian. My
> >thanks go to Martin for his excellent work.
>
> Heh don't log into #postgresql then - we have all pretty much been
> convinced after years of newbie support that Debian is the son of the
> devil when it comes to PostgreSQL :)

Oh, pah, I'm there already, as 'Snow-Man' and I've heard all about it.
Sorry that Debian/stable releases havn't been coming out as frequently
as they really should have been. We're working on that, honest!

Thanks,

Stephen

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > On Wed, Feb 08, 2006 at 06:36:10PM +0200, Devrim GUNDUZ wrote:
> >> So Debian has a patch that is not in 8.1.2? I can't believe that they
> >> are doing that -- personally I'm against to add any patch into binaries
> >> that is not in the core.
>
> > I consider it a form of preventative bug fixing.
>
> As against which, you have to consider the probability that the Debian
> patch breaks something. With a maintainer who is not one of the main PG
> developers accepting patches that haven't yet been reviewed (much less
> beta-tested) by the community, that risk seems far from negligible.

While I appriciate the core developer's expertise I don't think lack of
being a core member alone makes Martin's critique of the patch somehow
less valuable. I've also posted the patch to both -hackers and -patches
and I'd love for the community to review it.

And, to be fair, it's going into Debian/unstable and won't be in a
stable release without further testing by the Debian/unstable users
and Debian/testing users (once it propagates there). Unless there are
serious problems with it though I expect it to be in the next stable
Debian release (currently slated for the fall, iirc). It wouldn't go
into an update to the current Debian/stable as it's not a security fix.

I'm still very much of the opinion it's a bug and it's not terribly
complicated of a fix when you look at it. The patch looks bigger than
the actual change really is because of the structure references. Those
pieces aren't actually changed beyond referencing the structure variable
instead of the static variable though.

> (Now Red Hat certainly also puts in patches that aren't yet released
> upstream, but we try to avoid getting ahead of upstream patch development.)

Debian in general doesn't like to differ much from upstream and so it
would certainly be nice to have the patch accepted into *some* point
release which could be included in the next stable Debian release. It
seems unlikely 8.2 will be out with enough time for it go through
Debian's testing before the next stable Debian release.

Thanks,

Stephen

Kris Jurka wrote:
>
>
> On Wed, 8 Feb 2006, Tom Lane wrote:
>
> > The core committee has agreed that it's about time for a new set of
> > update releases (8.1.3, 8.0.7, etc). Barring surprises, we'll wrap
> > Sunday evening with expectation of general announcement Tuesday.
> > Any pending patches out there for the back branches?
> >
>
> I still think this should be applied to back branches. The patches queue
> is really quite a bit behind.
>
> http://archives.postgresql.org/pgsql-hackers/2006-01/msg00175.php

Yes, it is, no question. I am working on the INET + INT patch now.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

Devrim GUNDUZ <devrim(at)commandprompt(dot)com> wrote:
> Hi,
>
> On Wed, 2006-02-08 at 11:28 -0500, Stephen Frost wrote:
>
>> I'd really like to see the multiple DB connections with different
>> Kerberos credentials go in to 8.1.3. It solved the problem we were
>> having authenticating to PostgreSQL using Kerberos from Apache. We were
>> also able to get phppgadmin to use Kerberos authentication with this
>> patch (which is very nice). That patch also went into the 8.1.2-2
>> release of the Debian packages
>
> [OT]
> So Debian has a patch that is not in 8.1.2? I can't believe that they
> are doing that -- personally I'm against to add any patch into binaries
> that is not in the core.
> [/OT]

You haven't been looking too closely at the way some distributions are
building their packages then. At least two of the distributions I use
regularly (Gentoo and Debian) have the habit of adding a load of patches
during package build. And not all of those go back to the upstream, to
put it mildly ...

Regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison

Alexander Schreiber wrote:

>At least two of the distributions I use
>regularly (Gentoo and Debian) have the habit of adding a load of patches
>during package build. And not all of those go back to the upstream, to
>put it mildly ...
>
>
>

And they are not always sensible. A while back the Gentoo packagers
decided to "improve" the messages from initdb - the patch they applied
was completely erroneous, and I believe they have now fixed it.

I tend to be suspicious of distro applied patches. (I do like the change
to use log rotation that recent Rh/Fedora packages have made.)

cheers

andrew

Stephen Frost wrote:

> Oh, pah, I'm there already, as 'Snow-Man' and I've heard all about it.
> Sorry that Debian/stable releases havn't been coming out as frequently
> as they really should have been. We're working on that, honest!

The only thing that I hate is that libpq defaults to searching the
local socket in /var/postgresql/ or thereabouts. It really drives me
crazy and I've banned the libpq packages from my system.

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

* Alvaro Herrera (alvherre(at)commandprompt(dot)com) wrote:
> Stephen Frost wrote:
> > Oh, pah, I'm there already, as 'Snow-Man' and I've heard all about it.
> > Sorry that Debian/stable releases havn't been coming out as frequently
> > as they really should have been. We're working on that, honest!
>
> The only thing that I hate is that libpq defaults to searching the
> local socket in /var/postgresql/ or thereabouts. It really drives me
> crazy and I've banned the libpq packages from my system.

Perhaps /var/run/postgresql/? Where do you think it should go...?

Thanks,

Stephen

Stephen Frost wrote:
> * Alvaro Herrera (alvherre(at)commandprompt(dot)com) wrote:
> > Stephen Frost wrote:
> > > Oh, pah, I'm there already, as 'Snow-Man' and I've heard all about it.
> > > Sorry that Debian/stable releases havn't been coming out as frequently
> > > as they really should have been. We're working on that, honest!
> >
> > The only thing that I hate is that libpq defaults to searching the
> > local socket in /var/postgresql/ or thereabouts. It really drives me
> > crazy and I've banned the libpq packages from my system.
>
> Perhaps /var/run/postgresql/? Where do you think it should go...?

Where the upstream package puts it, /tmp ... But yeah, I know about the
Debian Policy.

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Alvaro Herrera wrote:

>Stephen Frost wrote:
>
>
>>* Alvaro Herrera (alvherre(at)commandprompt(dot)com) wrote:
>>
>>
>>>The only thing that I hate is that libpq defaults to searching the
>>>local socket in /var/postgresql/ or thereabouts. It really drives me
>>>crazy and I've banned the libpq packages from my system.
>>>
>>>
>>Perhaps /var/run/postgresql/? Where do you think it should go...?
>>
>>
>
>Where the upstream package puts it, /tmp ... But yeah, I know about the
>Debian Policy.
>
>
>
Maybe this should be a configure flag, just like the port number is.

cheers

andrew

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Maybe this should be a configure flag, just like the port number is.

It is ... that isn't the issue, the problem is exactly that Debian
chooses to exercise the option to make their installations different
from everyone else's.

regards, tom lane

On Thu, Feb 09, 2006 at 03:16:29PM -0500, Tom Lane wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> > Maybe this should be a configure flag, just like the port number is.
>
> It is ... that isn't the issue, the problem is exactly that Debian
> chooses to exercise the option to make their installations different
> from everyone else's.

FWIW, I prefer the Debian location. AFAICS the only rationale for
putting it in /tmp is "because it's always been there". I also agree
with suggestions to move ssh and X11 sockets out of /tmp. /tmp should
be for, well, temporary files...

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> FWIW, I prefer the Debian location. AFAICS the only rationale for
> putting it in /tmp is "because it's always been there".

Actually, it's "because it's certain to be there and be accessible to
unprivileged users". If we tried to change to something like
/var/postgresql, then getting that directory made and properly
permissioned would be an additional installation-time stumbling block
in the way of newbies. That's not an issue for prepackaged builds that
(at some level) require root privs to install, but I don't foresee it
becoming the default for builds from source. Especially not given the
client/server compatibility problems it'd create.

regards, tom lane

On 2/9/06, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> > Maybe this should be a configure flag, just like the port number is.
>
> It is ... that isn't the issue, the problem is exactly that Debian
> chooses to exercise the option to make their installations different
> from everyone else's.

It is exatly distributor's job to give consistent system. I would
not like to use a distro that just does './configure;make;make install'
without any overview.

Especially considering that upstream defaults are bad.

OTOH as upstream job is _not_ to care about consistent system
- as it is not possible - then for upstream the backwards compatibility
is the most important thing. It is likely that PostgreSQL upstream can
move the default only when most distros have already changed to sane
setting.

Oh, and I personally like that self-compiled PostgreSQL defaults to
other locations than system one. Lessens danger of using experimental
stuff on useful data.

--
marko

* Tom Lane:

> Actually, it's "because it's certain to be there and be accessible to
> unprivileged users".

Isn't this a bit problematic because any local user can impersonate a
PostgreSQL backend which has been shut down?

On Sat, Feb 11, 2006 at 03:04:00PM +0100, Florian Weimer wrote:
> * Tom Lane:
>
> > Actually, it's "because it's certain to be there and be accessible to
> > unprivileged users".
>
> Isn't this a bit problematic because any local user can impersonate a
> PostgreSQL backend which has been shut down?

Well, I guess it's an issue. At least it's not suceptable to the
standard symlink attacks. There is in general no way of knowing if the
server you are connecting to is what you think it is (except via SSL
maybe?).

The good thing is that if you're using md5 auth they can't grab your
password. The bad thing is that the server decides the authentication
protocol :(. Man-in-the-middle attacks would only be feasable for
attacker that have the same UID as the postmaster (deleting the socket
and creating a new one over the top). In those cases there's little you
can do anyway.

Putting the socket in a directory owned by the postgres user does stop
other users impersonating the server. Currently, if two local users
both compile a postgres server, they may end up connecting to
eachothers servers :).

These no real way around this. The only real option would be moving to
a home directory but that would require knowing the username the server
is running under...

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> These no real way around this. The only real option would be moving to
> a home directory but that would require knowing the username the server
> is running under...

And the problem would still exist, with even less chance of solution,
for TCP connections which are probably the majority of real-world usage.
If you're concerned about this sort of attack I think it has to be
solved in the protocol, not by reliance on socket placement.

I'm not sure whether our current SSL support does a good job of this
--- I think it only tries to check whether the server presents a
valid certificate, not which cert it is. Possibly Kerberos does more,
but I dunno a thing about that...

regards, tom lane

* Martijn van Oosterhout:

> Well, I guess it's an issue. At least it's not suceptable to the
> standard symlink attacks. There is in general no way of knowing if the
> server you are connecting to is what you think it is (except via SSL
> maybe?).

For local (i.e. UNIX domain socket) connections, there is -- just use
a hard-coded path where each directory is only writable by root or by
the PostgreSQL superuser (/var/run in Debian is not world-writable,
for instance).

> The good thing is that if you're using md5 auth they can't grab your
> password.

The password is probably of little concern if you use UNIX domain
sockets. But feeding wrong data to the application might trigger
interesting things.

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > These no real way around this. The only real option would be moving to
> > a home directory but that would require knowing the username the server
> > is running under...
>
> And the problem would still exist, with even less chance of solution,
> for TCP connections which are probably the majority of real-world usage.
> If you're concerned about this sort of attack I think it has to be
> solved in the protocol, not by reliance on socket placement.
>
> I'm not sure whether our current SSL support does a good job of this
> --- I think it only tries to check whether the server presents a
> valid certificate, not which cert it is. Possibly Kerberos does more,
> but I dunno a thing about that...

With AP_OPTS_MUTUAL_REQUIRED (which we and most other Kerberos
client/server setups use), the user and the server authenticate to each
other. The server has to prove it has access to the same key the KDC
has on file for the server, and the client has to do the same. We
really should support the various options for SSL checking. Options to
define trusted CAs, checking CN against what the IP address of the
server resolves to, mapping of DN to username (perhaps regexp based),
explicitly certificate -> username mapping, etc...

Of course, it'd be nice to get SASL support and move to GSSAPI instead
of the Kerberos API... :)

Thanks,

Stephen