Postgres Pro
Downloads
Home   >   mailing lists

Re: Tightening the trust auth advice - Mailing list pgsql-docs

From Jonathan S. Katz
Subject Re: Tightening the trust auth advice
Date
Msg-id 37a6a45c-ee93-041d-664e-12399a021ac6@postgresql.org
Whole thread Raw
In response to Tightening the trust auth advice  (Magnus Hagander <magnus@hagander.net>)
List pgsql-docs
Tree view 
On 1/12/23 4:32 AM, Magnus Hagander wrote:
> The page at https://www.postgresql.org/docs/current/auth-trust.html 
> <https://www.postgresql.org/docs/current/auth-trust.html> goes through 
> some length to explain why Trust is sometimes a good idea.
> 
> Is it really though? And in particular, aren't there better choices?

This first case it lists sounds like a good case for "peer" 
authentication...and the multi-user case it lists also sounds like a goo 
use for "peer".

The case that I think "trust" is good at, which we don't list, is doing 
local development / testing of PG.

> As a first step, I think we should put a <warning> box on the page 
> explicitly saying that that trust, unless limited in pg_hba, will allow 
> any user to become superuser which allows them to bypass all other 
> security restrictions.

+1

> Second, we're kind of going out of our way to recommend setting unix 
> socket permissions etc -- in those cases, wouldn't it in almost every 
> case just be better for the user to use "peer" auth instead of trust, 
> and we should recommend them to use that instead? Is it really any less 
> appropriate and/or convenient? (It was listed as appropriate back in 
> 2001 in 6f0f5bf2fbe, but the world has changed a bit in 20+ years..)

Yeah, I think forwarding folks to the documentation on "peer" is a good 
idea here. I don't know if we want to keep any language around for 
historical context "Prior to "peer" auth, "trust" was used for this but 
on modern systems you can use "peer" instead for better security."

> And finally, the sentence "It is seldom reasonable to use trust for any 
> TCP/IP connections other than those from localhost (127.0.0.1)." should 
> probably be amended with an ", and only reasonable for localhost if you 
> trust every single user on the host"?

I'd invert it: "It is not recommended to use "trust" for any TCP/IP 
(non-local) connection. You should use "trust" with localhost 
(127.0.0.1) connections only if you trust every single user on that host."

> Thoughts? I'll be happy to work up a patch if there's agreement on the 
> general idea.

Reading through this, I'm not shocked there's still a good amount of 
"trust" prevalent in the wild. I agree with tightening this up.

Jonathan
Attachment

pgsql-docs by date:

Previous
From: PG Doc comments form
Date:
Subject: Background worker
Next
From: Corey Huinker
Date:
Subject: Adding visual clues that accesskey exists