Home > mailing lists

Re: Sample pg_hba.conf allows local users to access all databases - Mailing list pgsql-general

From	David G. Johnston
Subject	Re: Sample pg_hba.conf allows local users to access all databases
Date	August 1, 2023 20:35:46
Msg-id	CAKFQuwaEgcxAu-NFF+v57yedfrzWxdgc+b00fXd3gK3PT-7PeA@mail.gmail.com Whole thread Raw
In response to	Sample pg_hba.conf allows local users to access all databases (William Edwards <wedwards@cyberfusion.nl>)
Responses	Re: Sample pg_hba.conf allows local users to access all databases
List	pgsql-general

Tree view

On Tue, Aug 1, 2023 at 10:13 AM William Edwards <wedwards@cyberfusion.nl> wrote:

This allows all local users connecting over TCP to access all databases,
not only the databases that the user is a member of as one might expect.

Proof that user is able to access database that it is not a member of is
below.

Roles do not gain membership in databases. Roles can be granted permissions on databases (mainly CONNECT). And all roles, via PUBLIC, get connect privileges on all databases by default. So the pg_hba.conf entry is not causing something to happen against the wishes of the privileges system.

https://www.postgresql.org/docs/current/ddl-priv.html

And yes, this is a usability vs secure-by-default that hasn't seen enough complaint to take on changing the default.

David J.

pgsql-general by date:

From: Christophe Pettus
Date: 01 August 2023, 20:34:54
Subject: Re: Sample pg_hba.conf allows local users to access all databases

From: Amn Ojee Uw
Date: 01 August 2023, 21:42:41
Subject: Re: error: connection to server on socket...

Re: Sample pg_hba.conf allows local users to access all databases - Mailing list pgsql-general

Previous

Next