Don't set PAM_RHOST for Unix sockets.

Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix
sockets.  This caused Linux PAM's libaudit integration to make DNS
requests for that name.  It's not exactly clear what value PAM_RHOST
should have in that case, but it seems clear that we shouldn't set it
to an unresolvable name, so don't do that.

Back-patch to 9.6.  Bug #15520.

Author: Thomas Munro
Reviewed-by: Peter Eisentraut
Reported-by: Albert Schabhuetl
Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 4f9d697d6da2dd972f6b3db890038603ecc43968..ff0832dba8b260294b2c7b94950102dd97c3b413 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2162,18 +2162,6 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
 {
        int                     retval;
        pam_handle_t *pamh = NULL;
-       char            hostinfo[NI_MAXHOST];
-
-       retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
-                                                               hostinfo, sizeof(hostinfo), NULL, 0,
-                                                               port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
-       if (retval != 0)
-       {
-               ereport(WARNING,
-                               (errmsg_internal("pg_getnameinfo_all() failed: %s",
-                                                                gai_strerror(retval))));
-               return STATUS_ERROR;
-       }
 
        /*
         * We can't entirely rely on PAM to pass through appdata --- it appears
@@ -2219,15 +2207,37 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
                return STATUS_ERROR;
        }
 
-       retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
-
-       if (retval != PAM_SUCCESS)
+       if (port->hba->conntype != ctLocal)
        {
-               ereport(LOG,
-                               (errmsg("pam_set_item(PAM_RHOST) failed: %s",
-                                               pam_strerror(pamh, retval))));
-               pam_passwd = NULL;
-               return STATUS_ERROR;
+               char            hostinfo[NI_MAXHOST];
+               int                     flags;
+
+               if (port->hba->pam_use_hostname)
+                       flags = 0;
+               else
+                       flags = NI_NUMERICHOST | NI_NUMERICSERV;
+
+               retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+                                                                       hostinfo, sizeof(hostinfo), NULL, 0,
+                                                                       flags);
+               if (retval != 0)
+               {
+                       ereport(WARNING,
+                                       (errmsg_internal("pg_getnameinfo_all() failed: %s",
+                                                                        gai_strerror(retval))));
+                       return STATUS_ERROR;
+               }
+
+               retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
+
+               if (retval != PAM_SUCCESS)
+               {
+                       ereport(LOG,
+                                       (errmsg("pam_set_item(PAM_RHOST) failed: %s",
+                                                       pam_strerror(pamh, retval))));
+                       pam_passwd = NULL;
+                       return STATUS_ERROR;
+               }
        }
 
        retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);