Home > mailing lists

Re: PostgreSQL security concerns - Mailing list pgsql-general

From	Bruce Momjian
Subject	Re: PostgreSQL security concerns
Date	June 4, 2001 12:51:39
Msg-id	200106041351.f54DpO208902@candle.pha.pa.us Whole thread Raw
In response to	Re: PostgreSQL security concerns (Francesco Casadei <f_casadei@libero.it>)
Responses	Re: PostgreSQL security concerns (Francesco Casadei <f_casadei@libero.it>)
List	pgsql-general

Tree view

> The only problem I have is with createdb and dropdb. I only have two users:
> pgsql and funland (created with CREATEDB option). The relevant lines of
> pg_hba.conf are:
>
> # TYPE       DATABASE    IP_ADDRESS    MASK               AUTHTYPE  MAP
> local        template0                                    trust
> local        template1                                    trust
> local        funland                                      password  funland.pwd
>
> psql prompts for a password when pgsql and funland connect to database funland
> (as expected).
> But anyone can create or destroy the database WITHOUT supplying a password. For
> example casimiro is a UNIX user not registered in PostgreSQL. I can do:
>
> casimiro@goku.kasby> createdb -U funland funland
> CREATE DATABASE
>
> casimiro@goku.kasby> dropdb -U funland funland
> DROP DATABASE
>
> I can use -W to force a password prompt, but a malicious user will not!!

createdb/dropdb are actually controlled by template0/1, not the database
itself.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

pgsql-general by date:

From: Martín Marqués
Date: 04 June 2001, 11:59:58
Subject: datestyle

From: "Brent R. Matzelle"
Date: 04 June 2001, 12:52:53
Subject: CHAR vs VARCHAR w/TOAST

Re: PostgreSQL security concerns - Mailing list pgsql-general

Previous

Next