On 1/7/06, Magnus Hagander <mha@xxxxxxxxxxxxxx> wrote: > > A recent article about an Oracle worm: > > http://www.eweek.com/article2/0,1895,1880648,00.asp > > got me wondering. > > Could a worm like this infect a PostgreSQL installation? > > It seems to depend on default usernames and passwords - and > > lazy DBAs, IMO. > > Isn't it true that PostgreSQL doesn't have any default user/password? > > That's true. however, PostgreSQL ships by default with access mode set > to "trust", which means you don't *need* a password. And I bet you'll > find the user being either "postgres" or "pgsql" in 99+% of all > installations. > > We do, however, ship with network access disabled by default. Which > means a worm can't get to it, until you enable that. But if you enable > network access, and don't change it from "trust" to something else (such > as md5), then you're wide open to this kind of entry. > I don't think it's quite that easy. The default installs from SUSE and other RPM I have done are set to ident sameuser for local connections. Even if you turn on the -i flag, you can't get in remotely since there is no pg_hba.conf record for the rest of the world by default. You would have to add a record to pg_hba.conf. PostgreSQL is remarkably secure out of the box compared to Brand X.
