Postgres Pro
Downloads
Home   >   mailing lists

Re: Post Install / Secure PostgreSQL - Mailing list pgsql-general

From Greg Smith
Subject Re: Post Install / Secure PostgreSQL
Date
Msg-id 4CADC31F.3090409@2ndquadrant.com
Whole thread Raw
In response to Re: Post Install / Secure PostgreSQL  (Alan Hodgson <ahodgson@simkin.ca>)
List pgsql-general
Tree view 
Alan Hodgson wrote:
> The default setup allows "trust" access which means it trusts local system
> accounts to login as the same roles in Pg without specifying a password.
>

There's two small inaccuracies with how you're describing this part.
First, having "trust" be the default is the case for PostgreSQL itself.
But many of the packaged versions of it instead default to "ident".  You
really need to look at the pg_hba.conf file after you first do an
installation on a new operating system or packaging type to know for
sure what it did, if you let that package creating the cluster for you.

Second, it's "ident" that lets you login only to the role that matches
your system account.  If you use "trust", you can login as any database
user from any system account.  It's kind of disturbing to some people
when they realize they can be logged into a regular account and go "psql
-U postgres" and they're right in as the database superuser in that
configuration.

As a larger commentary on this somewhat old thread I'm just getting to
now, it's easy to point at MySQL and laugh at the insecure by default
setup.  It's just as easy to point and laugh at how complicated it is
for those new to PostgreSQL to get the basic things most people want
working.  I can imagine a small script similar to the MySQL one--I guess
we could call it postgresql_unsecure_installation--that asked a few
questions and did things like setup the PostgreSQL account with a
password, switch to md5 authentication, set listen_address, and turn on
TCP/IP for the local LAN in the pg_hba.conf.  The saga Carlos has gone
through here is repeated over and over again by those new to PostgreSQL,
and not making it easier to do this extremely common sequence crossed
over into being an advocacy issue a while ago in my mind.  It would be a
great script for someone who wanted to contribute something to
PostgreSQL, but doesn't feel comfortable working on the core code, to write.

--
Greg Smith, 2ndQuadrant US greg@2ndQuadrant.com Baltimore, MD
PostgreSQL Training, Services and Support  www.2ndQuadrant.us
Author, "PostgreSQL 9.0 High Performance"    Pre-ordering at:
https://www.packtpub.com/postgresql-9-0-high-performance/book

pgsql-general by date:

Previous
From: Devrim GÜNDÜZ
Date:
Subject: Re: VACUUM FULL for performance
Next
From: Leonardo Francalanci
Date:
Subject: Re: VACUUM FULL for performance