On 1/7/06, Magnus Hagander <mha@sollentuna.net> wrote:
> > A recent article about an Oracle worm:
> > http://www.eweek.com/article2/0,1895,1880648,00.asp
> > got me wondering.
> > Could a worm like this infect a PostgreSQL installation?
> > It seems to depend on default usernames and passwords - and
> > lazy DBAs, IMO.
> > Isn't it true that PostgreSQL doesn't have any default user/password?
>
> That's true. however, PostgreSQL ships by default with access mode set
> to "trust", which means you don't *need* a password. And I bet you'll
> find the user being either "postgres" or "pgsql" in 99+% of all
> installations.
>
> We do, however, ship with network access disabled by default. Which
> means a worm can't get to it, until you enable that. But if you enable
> network access, and don't change it from "trust" to something else (such
> as md5), then you're wide open to this kind of entry.
>
I don't think it's quite that easy. The default installs from SUSE
and other RPM I have done are set to ident sameuser for local
connections. Even if you turn on the -i flag, you can't get in
remotely since there is no pg_hba.conf record for the rest of the
world by default. You would have to add a record to pg_hba.conf.
PostgreSQL is remarkably secure out of the box compared to Brand X.