Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone! - Mailing list pgsql-hackers

From Tom Lane
Subject Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
Date
Msg-id 796.1006921893@sss.pgh.pa.us
Whole thread Raw
In response to FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!  ("Christopher Kings-Lynne" <chriskl@familyhealth.com.au>)
Responses Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens
List pgsql-hackers
"Christopher Kings-Lynne" <chriskl@familyhealth.com.au> writes:
> This came across the phpPgAdmin list, and I'm reposting it here in case it
> is actually true...?  If it is, is it a Postgres or a Debian package issue?

The default installation is indeed insecure with respect to other local
users; you don't want to use TRUST auth method on a multi-user box.  We
need to document that more prominently.  But the default install is not
insecure w.r.t. to outside connections, because it doesn't allow any.
In particular, this advice is horsepucky:

> Also, If you wish to block connections from the internet, add this also:
> host         all         0.0.0.0       0.0.0.0             reject

because that will happen anyway.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Possible bug in new VACUUM code
Next
From: Thomas Lockhart
Date:
Subject: Call for platform testing