Re: Too easy to log in as the "postgres" user?

Andrew Bailey <hazlorealidad@xxxxxxxxx> · Thu, 15 Oct 2009 08:24:57 -0500

Thom,

You appear to be trusting all connections what I think you want is the
following:

local all all ident sameuser
# IPv4 local connections:
host all all 127.0.0.1/32 ident sameuser
# IPv6 local connections:
host all all ::1/128 ident sameuser

Remember that you need to get postgres to reread the file after
changing it by using pg_ctl reload or kill -HUP {pid}

Andy Bailey

On Thu, Oct 15, 2009 at 5:38 AM, Thom Brown <thombrown@xxxxxxxxx> wrote:
> I've noticed that if I just log in to my server, I don't su to root,
> or become the postgres user, I can get straight into the database as
> the postgres user merely with "psql -U postgres -h localhost".  My
> user account isn't a member of the postgres group.
>
> It appears I've not applied my security settings correctly.  What can
> I do to prevent access this way?  I'd still want to be able to su to
> the postgres user and log in that way, but not with the -U parameter
> allowing access.
>
> The pg_hba.conf is probably relevant here, so this is the setup:
>
> # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
>
> # "local" is for Unix domain socket connections only
> local   all         all                               trust
> # IPv4 local connections:
> host    all         all         127.0.0.1/32          trust
> # IPv6 local connections:
> host    all         all         ::1/128               trust
>
> Thanks
>
> Thom Brown
> Crawley, UK
>
> --
> Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

-- 
Andrew Bailey

(312) 866 9556

NOTA DE CONFIDENCIALIDAD Y DE NO DIVULGACIÓN:
La información contenida en este E-mail y sus archivos adjuntos es
confidencial y sólo puede ser utilizada por el individuo
o la empresa a la cual está dirigido. Si no es el receptor autorizado,
cualquier retención, difusión,
distribución o copia de este mensaje queda prohibida y sancionada por
la ley. Si por error recibe este
mensaje, favor devolverlo y borrarlo inmediatamente.

-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general