Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> Yeah, by default Postgresql ships practically without any access controls.
It ain't *that* bad. The default configuration is "no remote access,
period", even if you give -i in the postmaster switches. True, there
are no local access controls by default, but unless someone ignores
the instructions and runs the postmaster as "bin" or another
quasi-privileged user, there's no way I can see to use the database to
break into root. (Barring site security holes, which could be exploited
by any local user anyway.)
MS SQL's problem is that any remote attacker who can reach the machine
by TCP is instantly root, or whatever the equivalent concept is on NT.
If you don't have the server port firewalled you're a sitting duck.
I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions. The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late. regards, tom lane