jason.leach@xxxxxxxxx ("Jason C. Leach") writes:
> Why not put pg_hba.conf in a pg table? Seems like it would be much
> easier to work with. After all, if we can keep users in the db
> tables, why not this?
... Because it represents information that needs to be accessed
*before* a connection to the database is established.
This is the configuration that determines whether or not a DB
connection is permitted. If we store the information in a table, then
the connection has to be accepted in order to determine if the
connection should be accepted.
As things stand, pg_hba.conf will reject many of the cases without
needing to burden the database engine with another connection.
If connections are required, then:
a) There are presumably some new race conditions for vulnerabilities
that come available;
b) A new DOS attack is introduced.
--
select 'cbbrowne' || '@' || 'acm.org';
http://cbbrowne.com/info/unix.html
:FATAL ERROR -- ILLEGAL ERROR�
