Search Postgresql Archives

Re: Post Install / Secure PostgreSQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alan Hodgson wrote:
The default setup allows "trust" access which means it trusts local system accounts to login as the same roles in Pg without specifying a password.

There's two small inaccuracies with how you're describing this part. First, having "trust" be the default is the case for PostgreSQL itself. But many of the packaged versions of it instead default to "ident". You really need to look at the pg_hba.conf file after you first do an installation on a new operating system or packaging type to know for sure what it did, if you let that package creating the cluster for you.

Second, it's "ident" that lets you login only to the role that matches your system account. If you use "trust", you can login as any database user from any system account. It's kind of disturbing to some people when they realize they can be logged into a regular account and go "psql -U postgres" and they're right in as the database superuser in that configuration.

As a larger commentary on this somewhat old thread I'm just getting to now, it's easy to point at MySQL and laugh at the insecure by default setup. It's just as easy to point and laugh at how complicated it is for those new to PostgreSQL to get the basic things most people want working. I can imagine a small script similar to the MySQL one--I guess we could call it postgresql_unsecure_installation--that asked a few questions and did things like setup the PostgreSQL account with a password, switch to md5 authentication, set listen_address, and turn on TCP/IP for the local LAN in the pg_hba.conf. The saga Carlos has gone through here is repeated over and over again by those new to PostgreSQL, and not making it easier to do this extremely common sequence crossed over into being an advocacy issue a while ago in my mind. It would be a great script for someone who wanted to contribute something to PostgreSQL, but doesn't feel comfortable working on the core code, to write.

--
Greg Smith, 2ndQuadrant US greg@xxxxxxxxxxxxxxx Baltimore, MD
PostgreSQL Training, Services and Support  www.2ndQuadrant.us
Author, "PostgreSQL 9.0 High Performance"    Pre-ordering at:
https://www.packtpub.com/postgresql-9-0-high-performance/book


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux