DBI.pm connects with 'use DBI' to a PostgreSQL server without credentials

[Matthias Apitz]

Hello,

We encounter with a bigger Perl written applications the problem that in
the serverlog of a remote PostgreSQL server appear the following lines:

2023-11-20 10:45:55.826 CET [84269] FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption
...

The simplified code is this:

#!/usr/bin/perl

use DBI;
...

my $driver_name = "Pg";
...
my $dsn = "DBI:$driver_name:dbname = $db_name;host = $pghost;port = $pgport";
$__ref->{'dbh'} = DBI->connect($dsn, "$user_name", "$pass_name",
{'ChopBlanks' => 0, 'AutoCommit' => $autocommit, 'PrintError' => 0,
'LongReadLen' => 2500000 }) || do {
$__ref->{'errorString'} =
"can't open database <$__ref->{'databaseName'}>!\n${DBI::errstr}\n";
...


export DBI_TRACE='1=/tmp/dbitrace.log';

the environment in the moment of 'use DBI;' is only
PGHOST and PGPORT; the user is 'nobody' (which uses DBD::Pg to connect)
because the code is started by Apache as CGI-BIN; it took us a while
to understand what is causing the errors: the 'use DBI;' already
does a connect to the server and tries to read the names of the
available databases from the server:

/tmp/dbitrace.log:


DBI 1.643-ithread default trace level set to 0x0/1 (pid 117222 pi 2289910) at DBI.pm line 294 via SisisAdmin.pm line 10
-> DBI->install_driver(Pg) for linux perl=5.035002 pid=117222 ruid=65534 euid=65534
install_driver: DBD::Pg version 3.16.0 loaded from /usr/local/sisis-pap/perlbrew/perls/perl-5.35.2/lib/site_perl/5.35.2/x86_64-linux-thread-multi/DBD/Pg.pm
<- install_driver= DBI::dr=HASH(0x3926378)
!! The warn '0' was CLEARED by call to data_sources method
ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
<- DESTROY(DBI::db=HASH(0x391fc98))= ( undef ) [1 items] at Pg.pm line 264
!! ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
<- data_sources= ( ) [0 items] at DBI.pm line 1074

later in the code with the correct database to connect to and
credentials:

-> DBI->connect(dbi:Pg:dbname = sisis; host = sisis-db ; port = 5432, sisis, ****, HASH(0x3686bd8))
!! The ERROR '1' was CLEARED by call to connect method
<- connect('dbname = sisis; host = sisis-db ; port = 5432', 'sisis', ...)= ( DBI::db=HASH(0x3918428) ) [1 items] at DBI.pm line 679
<- STORE('RaiseError', 0)= ( 1 ) [1 items] at DBI.pm line 731
<- STORE('PrintError', 0)= ( 1 ) [1 items] at DBI.pm line 731
<- STORE('AutoCommit', 1)= ( 1 ) [1 items] at DBI.pm line 731
<- STORE('pg_enable_utf8', 1)= ( 1 ) [1 items] at DBI.pm line 734
<- STORE('LongReadLen', 2500000)= ( 1 ) [1 items] at DBI.pm line 734
$h->{'pg_utf8_flag'}=1 ignored for invalid driver-specific attribute
<- STORE('pg_utf8_flag', 1)= ( '' ) [1 items] at DBI.pm line 734
<- STORE('Username', 'sisis')= ( 1 ) [1 items] at DBI.pm line 734
<- STORE('ChopBlanks', 1)= ( 1 ) [1 items] at DBI.pm line 734
<- connected('dbi:Pg:dbname = sisis; host = sisis-db ; port = 5432', 'sisis', ...)= ( undef ) [1 items] at DBI.pm line 741
...

How could we avoid such connect to the database server without
the correct credentials?

Thanks

matthias
--
Matthias Apitz, ✉ gu...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

[Mark Lawrence via dbi-users]

> the 'use DBI;' already does a connect to the server and tries to read
> the names of the available databases from the server:

I would check this assumption, because it strikes me as extremely
unlikely. DBI does not load any drivers at use or require/import time.

You could add some tracing statements of your own to confirm. See the
"trace_msg" method for example, which you could call directly after the
"use DBI" statement, to put something in your trace file.

> <- install_driver= DBI::dr=HASH(0x3926378)
> !! The warn '0' was CLEARED by call to data_sources method
> ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
> <- DESTROY(DBI::db=HASH(0x391fc98))= ( undef ) [1 items] at Pg.pm line 264
> !! ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
> <- data_sources= ( ) [0 items] at DBI.pm line 1074

This appears to be the result of a call to DBI->data_sources(). Are you
calling that somewhere?

--
Mark Lawrence

[Matthias Apitz]

El día martes, noviembre 28, 2023 a las 11:14:35 +0000, Mark Lawrence via dbi-users escribió:

> > the 'use DBI;' already does a connect to the server and tries to read
> > the names of the available databases from the server:
>
> I would check this assumption, because it strikes me as extremely unlikely.
> DBI does not load any drivers at use or require/import time.

I was wrong with this.

> > ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
> > <- DESTROY(DBI::db=HASH(0x391fc98))= ( undef ) [1 items] at Pg.pm line 264
> > !! ERROR: 1 'connection to server at "sisis-db" (172.16.6.3), port 5432 failed: FATAL: no pg_hba.conf entry for host "172.16.5.3", user "nobody", database "postgres", no encryption' (err#0)
> > <- data_sources= ( ) [0 items] at DBI.pm line 1074
>
> This appears to be the result of a call to DBI->data_sources(). Are you
> calling that somewhere?

Exactly, we were calling it without correct credentials in the env vars
PGUSER, PGPASSWORD. Thanks for your hint. The code of this module is
more than thousand lines long and not written by me.

matthias

--
Matthias Apitz, ✉ gu...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.