I am not that paranoid...
Maybe the balance between paranoia and "administrability" is important too. That's why the security thread is important
onthis Postgres mailing-lists. And the proposed TODO too.
Side note : I'll check the security portal...
NH
-----Message d'origine-----
De: Aaron J. Seigo [SMTP:aaron@gtv.ca]
Date: jeudi 14 octobre 1999 19:11
À: Nicolas Huillard; 'Oleg Bartunov'; 'Peter Eisentraut'
Cc: 'Lincoln Yeoh'; 'pgsql-general@postgreSQL.org'; 'pgsql-hackers@postgreSQL.org'
Objet: RE: [HACKERS] Re: [GENERAL] How do I activate and change the postgres user's password?
hi..
> * there is still a problem for the access to the database themselves : site
> 1 should access database 1, and not database 2, but there should have the
> least password in the calling scripts
a quick thought: if you are really paranoid, set up different installations of
postgres, even if on the same box... don't run them on the default port, set up
seperate pg_hba files and it should keep everything QUITE seperate.
> I already posted a message concerning security, but nobody seems to be
> concerned about this. I read the advices at www.cert.org, and since then, I
> became paranoiac...
as a side note, CERT sucks. they know security, if only because they know about
much of the cracking activity on the net, via reports. however, they are
close-mouthed about it all. they don't offer solutions, don't require vendors
to produce solutions and don't tell the public about the problems until the
vendor says "ok, tell 'em now", which is usually FAR too late. why do you think
they lose most of their star players (such as the guy who wrote SATAN?)? A:
frustration.
there are MUCH better security sites/sources than CERT. e.g. security portal.
--
Aaron J. Seigo
Sys Admin
