Re: Silent failure with invalid hba_file setting

Hi,

I noticed that if the hba_file setting in the config is uncommented
and set to a directory instead of the full path to the file, no error
occurs when the service starts.

For example:

hba_file = '/home/thom/Development/data'

The problem with this is you cannot get into the database as it acts
as if it did find the hba file but found it empty.

Shouldn't a check be in place to ensure that the parameter resolves to
a file rather than anything else? And even if it does find a file,
but it's empty, shouldn't it also produce a warning of some kind?

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Thom Brown <thom(at)linux(dot)com> writes:
> I noticed that if the hba_file setting in the config is uncommented
> and set to a directory instead of the full path to the file, no error
> occurs when the service starts.

When I try that, I get a boatload of errors ending with
FATAL: could not load pg_hba.conf

I suspect what happened to you is that the directory read like an empty
file, so Postgres didn't see any error condition. I suppose we could
add an fstat test to see if we'd opened something other than a regular
file, but I'm not terribly excited about it.

> The problem with this is you cannot get into the database as it acts
> as if it did find the hba file but found it empty.

Well, an actually empty pg_hba.conf file would have the same problem,
and it's pretty hard to see any situation where it would be useful to
start the postmaster and not let it accept any connections. Should we
add a check to consider it an error if the file doesn't contain at least
one HBA record?

regards, tom lane

On 19 October 2011 00:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thom Brown <thom(at)linux(dot)com> writes:
>> I noticed that if the hba_file setting in the config is uncommented
>> and set to a directory instead of the full path to the file, no error
>> occurs when the service starts.
>
> When I try that, I get a boatload of errors ending with
> FATAL:  could not load pg_hba.conf
>
> I suspect what happened to you is that the directory read like an empty
> file, so Postgres didn't see any error condition.  I suppose we could
> add an fstat test to see if we'd opened something other than a regular
> file, but I'm not terribly excited about it.
>
>> The problem with this is you cannot get into the database as it acts
>> as if it did find the hba file but found it empty.
>
> Well, an actually empty pg_hba.conf file would have the same problem,
> and it's pretty hard to see any situation where it would be useful to
> start the postmaster and not let it accept any connections.  Should we
> add a check to consider it an error if the file doesn't contain at least
> one HBA record?

That would solve both problems, so +1 for that.

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:
> > The problem with this is you cannot get into the database as it acts
> > as if it did find the hba file but found it empty.
>
> Well, an actually empty pg_hba.conf file would have the same problem,
> and it's pretty hard to see any situation where it would be useful to
> start the postmaster and not let it accept any connections. Should we
> add a check to consider it an error if the file doesn't contain at least
> one HBA record?

If you try to connect and it doesn't find a record, it will tell you.

I wouldn't add extra special checks for that. It might not be
completely unreasonable to have a standby that no one can connect to,
for example.

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:
>> Well, an actually empty pg_hba.conf file would have the same problem,
>> and it's pretty hard to see any situation where it would be useful to
>> start the postmaster and not let it accept any connections. Should we
>> add a check to consider it an error if the file doesn't contain at least
>> one HBA record?

> If you try to connect and it doesn't find a record, it will tell you.

Yeah, but the damage is already done. I see the main practical benefit
of this being to prevent accidental loading of a trashed pg_hba file.

> I wouldn't add extra special checks for that. It might not be
> completely unreasonable to have a standby that no one can connect to,
> for example.

Well, you couldn't monitor its state then, so I don't find that example
very convincing. But if you were intent on having that, you could
easily set up a pg_hba file containing only "reject" entries.

regards, tom lane

On Oct 19, 2011 6:21 AM, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:
> >> Well, an actually empty pg_hba.conf file would have the same problem,
> >> and it's pretty hard to see any situation where it would be useful to
> >> start the postmaster and not let it accept any connections. Should we
> >> add a check to consider it an error if the file doesn't contain at
least
> >> one HBA record?
>
> > If you try to connect and it doesn't find a record, it will tell you.
>
> Yeah, but the damage is already done. I see the main practical benefit
> of this being to prevent accidental loading of a trashed pg_hba file.

Yeah, definitely. It's very much a pita when you accidentally do that with a
syntax error on <8.4, %. So while I haven't actually managed to hit his
specific problem myself, +1 for this approach.

> > I wouldn't add extra special checks for that. It might not be
> > completely unreasonable to have a standby that no one can connect to,
> > for example.
>
> Well, you couldn't monitor its state then, so I don't find that example
> very convincing. But if you were intent on having that, you could
> easily set up a pg_hba file containing only "reject" entries.
>

Yeah, seems reasonable to put a (very) small amount of extra work in the
path of a very uncommon scenario in order to protect users in the common
one...

/Magnus

On 19 October 2011 05:50, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> On tis, 2011-10-18 at 18:38 -0400, Tom Lane wrote:
>> > The problem with this is you cannot get into the database as it acts
>> > as if it did find the hba file but found it empty.
>>
>> Well, an actually empty pg_hba.conf file would have the same problem,
>> and it's pretty hard to see any situation where it would be useful to
>> start the postmaster and not let it accept any connections.  Should we
>> add a check to consider it an error if the file doesn't contain at least
>> one HBA record?
>
> If you try to connect and it doesn't find a record, it will tell you.

Yes, but then the user could end up pulling their hair out trying to
figure out why it's not matching any of the rules in the pg_hba.conf
file, when it's not being used at all. Because there would have been
no indication that it failed to find the file in question when the
service started, the user may, rightly or wrongly, assume that the
file was being read, but they had somehow misconfigured the file.

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 19 October 2011 05:20, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>> I wouldn't add extra special checks for that.  It might not be
>> completely unreasonable to have a standby that no one can connect to,
>> for example.
>
> Well, you couldn't monitor its state then, so I don't find that example
> very convincing.  But if you were intent on having that, you could
> easily set up a pg_hba file containing only "reject" entries.

I hadn't noticed you'd committed some changes around this until now. Thanks.

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company