Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens
Date
Msg-id 200111280150.fAS1oSv05626@candle.pha.pa.us
Whole thread Raw
In response to FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!  ("Christopher Kings-Lynne" <chriskl@familyhealth.com.au>)
List pgsql-hackers
This is a known problem. I just updated the documentation today to
stress that local users have full access to any database by default, and
that initdb -W and changing pg_hba.conf to password/md5 are the best
ways to fix this.

---------------------------------------------------------------------------

> Hi guys,
> 
> This came across the phpPgAdmin list, and I'm reposting it here in case it
> is actually true...?  If it is, is it a Postgres or a Debian package issue?
> 
> Chris
> 
> -----Original Message-----
> From: phppgadmin-devel-admin@lists.sourceforge.net
> [mailto:phppgadmin-devel-admin@lists.sourceforge.net]On Behalf Of Guilherme
> Barile
> Sent: Wednesday, 28 November 2001 3:58 AM
> To: phpPgAdmin-devel@lists.sourceforge.net
> Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
> anyone!
> 
> 
> Debian comes with a severe configuration fault in postgresql ... in
> pg_hba.conf, it uses TRUST as the default authentication method (from
> localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
> password.
> 
> There are DOZENS of sites out there running without any security! And this
> is terrible! If I weren't a very nice person and simply didn't change
> anything (I could, as postgres is superuser and I can log as it).
> Here's how to fix it (on debian, don't know if any other distribution is
> affected):
> log in as postgres
> run psql
> check the pg_shadow table (SELECT * FROM pg_shadow;)
> see if everyone has a password (especially user postgres)
> 
> After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
> following lines:
> 
> local        all                                           password
> host         all         127.0.0.1     255.0.0.0           password
> 
> Then it will require a password.
> Also, If you wish to block connections from the internet, add this also:
> 
> host         all         0.0.0.0       0.0.0.0             reject
> 
> Please put this on the page or together with PhpPgAdmin's documentation.
> (Search google.com with "phppgadmin local:5432" and check for yourself ...
> login as postgres and type anything as password!)
> 
> 
> Thank you very much for your attention (Please be kind and reply)
> 
> Guilherme Barile
> Infoage Web Solutions
> Sao Paulo - SP - Brazil
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results
Next
From: mlw
Date:
Subject: Re: Announcement: I've joined Red Hat