Re: pg_hba.conf && ident ...

Tom Lane writes:
> Malcolm Beattie <mbeattie(at)sable(dot)ox(dot)ac(dot)uk> writes:
> > I'd thought that I'd fixed PostgreSQL itself too but looking
> > back in my mail logs I can only find my patch which fixes the problem
> > with sending ident requests from a server with an IP alias. I may have
> > forgotten to send in the patch (or even to write one) for the "ident
> > synchronous in postmaster" problem itself. Sorry. I'll look harder.
>
> Yes, I see your alias patch in there, but that doesn't have anything to
> do with the problem of a nonresponding ident server. I agree with Jan
> that a really good fix would allow the postmaster to return to its outer
> event loop while waiting for the ident response. It'd be a nontrivial
> rewrite though... anyone use ident enough to want to tackle it?

It looks like the whole pg_hba thing isn't really designed to be
asynchronous or event-driven. A cheap and cheerful fix would be to
replace the blocking connect/send/recv in ident() in hba.c with
foo_timeout ones (for foo one of connect/send/recv). Basically, set
O_NONBLOCK on the socket with fcntl and have foo_timeout() do
...
FD_SET(ourfd, &fds);
tv.tv_sec = TIMEOUT;
foo(...);
if (select(ourfd+1, &fds, &fds, 0, &tv) == -1)
return -1;
return foo(...);
At least you then have an upper bound of about 3*TIMEOUT on how long
the postmaster is busy. It would still be susceptible to a denial of
service attack though. The other option would be an alarm() timeout
which could wrap the entire ident process but doing alarms portably
and safely is weird on some platforms depending on what else is going
on at the time.

--Malcolm

--
Malcolm Beattie <mbeattie(at)sable(dot)ox(dot)ac(dot)uk>
Unix Systems Programmer
Oxford University Computing Services