> "Christopher Kings-Lynne" <chriskl@familyhealth.com.au> writes:
> > This came across the phpPgAdmin list, and I'm reposting it here in case it
> > is actually true...? If it is, is it a Postgres or a Debian package issue?
>
> The default installation is indeed insecure with respect to other local
> users; you don't want to use TRUST auth method on a multi-user box. We
> need to document that more prominently. But the default install is not
> insecure w.r.t. to outside connections, because it doesn't allow any.
> In particular, this advice is horsepucky:
Let me tell you what bothers me about our default install. If some
software installed all its data files in a world-writable directory, we
would consider it a security hole. But because we are Internet-enabled,
and because our insecurity is only local, it seems OK to people.
I am not sure about a solution, but I am shocked we haven't been beaten
up about this more often.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
