Richard Hayward <richard@xxxxxxxxxxxxxxxxxxxx> writes: > On Wed, 01 Jun 2005 11:39:22 -0400, tgl@xxxxxxxxxxxxx (Tom Lane) > wrote: >> Perhaps you should use something other than password authentication >> for the guest account. > I want anyone from anywhere to be able to connect to my_database (only > my_database, not others in the cluster) using the guest account. The > system is to be live on the Internet. > Putting: > host my_database guest 0.0.0.0 0.0.0.0 trust > ahead of other entries in pg_hba.conf seems to do the trick. Even if > guest is given a password, or it gets changed, guest can connect > without being asked for it. > The guest account will only be allowed select permissions. > Does this open me to being attacked? I assume guest could then query > various system tables, but that other users passwords are either not > visible or securely encrypted. I'd be inclined to use a postmaster dedicated *only* to that purpose, running under a Unix userid also dedicated to that purpose. We do come across security holes from time to time ... regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@xxxxxxxxxxxxxx
