Re: Security note: MS SQL is current worm vector - Mailing list pgsql-hackers

From Ian Barwick
Subject Re: Security note: MS SQL is current worm vector
Date
Msg-id 200111251916.UAA18834@post.webmailer.de
Whole thread Raw
In response to Re: Security note: MS SQL is current worm vector  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Sunday 25 November 2001 18:13, Tom Lane wrote:
> Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> > Yeah, by default Postgresql ships practically without any access
> > controls.
>
(...)
> I do wonder whether we shouldn't list "think about your access controls"
> as an explicit step in the installation instructions or server startup
> instructions.  The default configuration is definitely uncool on
> multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password  is set during db initialisation and before the server
isstarted;
 
2) before starting the server change the appropriate settings  in pg_hba.conf from 'trusted' to 'password' (or whatever
other authentication system is to be used).
 

Particularly the point about initdb with -W isn't mentioned
in the "7.1 Administrator's Guide" (section 3.2, 'Creating
a database cluster'), which is probably the first port of call 
for many first time admin/users.

Following these steps should exclude any possibility
of even local users gaining uncontrolled access to the
backend. (Motto: "Never Trust Anyone" ;-)

Yours

Ian Barwick


pgsql-hackers by date:

Previous
From: "Marc G. Fournier"
Date:
Subject: PostgreSQL v7.2b3 Released
Next
From: shield123321@hotmail.com
Date:
Subject: Setting up MAKE file for Postgres and C++/Newbie question