Is it really such a good idea to have "trust" authentication enabled for
localhost (TCP/IP and Unix sockets) by default? Since this pretty much
means that anybody with shell access on the server (which depending on
the situation can be only dba people, or a whole lot of other people as
well) can do anything they want with the database, regardless of
permissions?
In some situations this is certainly safe (say a dedicated db server
which only trusted dba:s have access to). In others it's very definitly
not (say a shared hosting machine with hundreds of users). And even in
the first case, it provides a really simple way to get around any
auditing that is set up.
Wouldn't it be safer if you had to explicitly ask for this level if you
really know what you're doing, and default to using password auth (and
then probably have initdb require a superuser password to be specified)?
//Magnus
