headers
Luis | 27 Aug 21:36 2015
Picon

Problem with auth_user

Hi,

I'm not totally sure if I'm seeing a bug on pgbouncer 1.6 or maybe I
don't fully understand the auth_user + auth_query feature.

I have the official pgbouncer 1.6 version.

My configuration is this:

[databases]
*= port=5432 auth_user=postgres

[pgbouncer]
auth_type = trust
auth_file = /etc/pgbouncer/userlist.txt
auth_query = SELECT usename, passwd FROM pg_shadow WHERE usename=$1

The content of userlist.txt is:

"postgres" ""

When I try to log in with a existing postgresql user I get logged in
with that user. However if I try to log in with a non existing user, I
get logged in with postgres user. I would expect here to have a user
authentication problem instead of getting logged in with the
auth_user.

Is that the expected behaviour? Is it maybe related with trust auth_type?

Thanks
(Continue reading)

Permalink | Reply |
headers
Greg Sabino Mullane | 1 Sep 23:02 2015

Re: Problem with auth_user

On Thu, Aug 27, 2015 at 09:36:51PM +0200, Luis wrote:
> auth_type = trust
> auth_file = /etc/pgbouncer/userlist.txt
...
> When I try to log in with a existing postgresql user I get logged in
> with that user. However if I try to log in with a non existing user, I
> get logged in with postgres user. I would expect here to have a user
> authentication problem instead of getting logged in with the
> auth_user.

Definitely a bug. I can reproduce it. I traced this back to a problem in 
client.c, inside handle_auth_response. When we find a match from the query 
and parse it by seeing a 'D' packet, we set client->auth_user to the new 
entry. However, if not 'D' is seen, and we skip straight to 'C' and 'Z', 
the code sees the lack of a client->auth_user as an indication that the above 
failed. This is not true, however, as auth_user is already set (to the config 
auth_user value). Thus, getting no rows back from the auth_query lets one 
log in as the powerful auth_user user. Here is a quick patch I came up with:

diff --git a/include/bouncer.h b/include/bouncer.h
index e2dedaa..7151802 100644
--- a/include/bouncer.h
+++ b/include/bouncer.h
 <at>  <at>  -318,2 +318,3  <at>  <at>  struct PgSocket {
    bool resetting:1;   /* server: executing reset query from auth login; don't release on flush */
+    bool auth_user_changed:1; /* The value of auth_user has changed via successful server lookup */

diff --git a/lib b/lib
index 7dd946a..f24cd58 160000
--- a/lib
(Continue reading)

Permalink | Reply |
headers
Marko Kreen | 3 Sep 22:38 2015
Picon

Re: Problem with auth_user

On Tue, Sep 01, 2015 at 05:02:42PM -0400, Greg Sabino Mullane wrote:
> On Thu, Aug 27, 2015 at 09:36:51PM +0200, Luis wrote:
> > auth_type = trust
> > auth_file = /etc/pgbouncer/userlist.txt
> ...
> > When I try to log in with a existing postgresql user I get logged in
> > with that user. However if I try to log in with a non existing user, I
> > get logged in with postgres user. I would expect here to have a user
> > authentication problem instead of getting logged in with the
> > auth_user.
> 
> Definitely a bug. I can reproduce it. I traced this back to a problem in 
> client.c, inside handle_auth_response. When we find a match from the query 
> and parse it by seeing a 'D' packet, we set client->auth_user to the new 
> entry. However, if not 'D' is seen, and we skip straight to 'C' and 'Z', 

Thanks for the bugreport and analysis.  1.6.1 is out with the fix.

The real bug was assigning db->auth_user to client->auth_user in the
first place.  It is not helped that the field names are same.  I guess
that part needs some cleaning up to do.

--

-- 
marko
Permalink | Reply |
headers
Luis | 3 Sep 23:04 2015
Picon

Re: Problem with auth_user

Thanks a lot guys for helping with that and releasing the bugfix so fast!

On Sep 3, 2015 10:38 PM, "Marko Kreen" <markokr-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
On Tue, Sep 01, 2015 at 05:02:42PM -0400, Greg Sabino Mullane wrote:
> On Thu, Aug 27, 2015 at 09:36:51PM +0200, Luis wrote:
> > auth_type = trust
> > auth_file = /etc/pgbouncer/userlist.txt
> ...
> > When I try to log in with a existing postgresql user I get logged in
> > with that user. However if I try to log in with a non existing user, I
> > get logged in with postgres user. I would expect here to have a user
> > authentication problem instead of getting logged in with the
> > auth_user.
>
> Definitely a bug. I can reproduce it. I traced this back to a problem in
> client.c, inside handle_auth_response. When we find a match from the query
> and parse it by seeing a 'D' packet, we set client->auth_user to the new
> entry. However, if not 'D' is seen, and we skip straight to 'C' and 'Z',

Thanks for the bugreport and analysis.  1.6.1 is out with the fix.

The real bug was assigning db->auth_user to client->auth_user in the
first place.  It is not helped that the field names are same.  I guess
that part needs some cleaning up to do.

--
marko

_______________________________________________
Pgbouncer-general mailing list
Pgbouncer-general@...
http://lists.pgfoundry.org/mailman/listinfo/pgbouncer-general
Permalink | Reply |
headers
Greg Sabino Mullane | 1 Sep 23:03 2015

Re: Problem with auth_user

On Thu, Aug 27, 2015 at 09:36:51PM +0200, Luis wrote:
> Is that the expected behaviour? Is it maybe related with trust auth_type?

On that note, the docs for auth_user are pretty confusing. Will work 
on a patch when I get some tuits.

--

-- 
Greg Sabino Mullane greg@...
End Point Corporation
PGP Key: 0x14964AC8

_______________________________________________
Pgbouncer-general mailing list
Pgbouncer-general@...
http://lists.pgfoundry.org/mailman/listinfo/pgbouncer-general
Permalink | Reply |
headers
Greg Sabino Mullane | 3 Sep 14:41 2015

Re: Problem with auth_user

For the record, it looks like this was fixed in 
7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38

(prompted by my reporting this as issue #69 on github)

I haven't tested it as HEAD will not compile for me at the moemnt, 
but it's a cleaner fix than my attempt.

--

-- 
Greg Sabino Mullane greg@...
End Point Corporation
PGP Key: 0x14964AC8

_______________________________________________
Pgbouncer-general mailing list
Pgbouncer-general@...
http://lists.pgfoundry.org/mailman/listinfo/pgbouncer-general
Permalink | Reply |

Gmane