Re: What goes into the security doc? - Mailing list pgsql-hackers

From Christopher Kings-Lynne
Subject Re: What goes into the security doc?
Date
Msg-id GNELIHDDFBOCMGBFGEFOGECMCFAA.chriskl@familyhealth.com.au
Whole thread Raw
In response to Re: What goes into the security doc?  (Robert Treat <xzilla@users.sourceforge.net>)
Responses Re: What goes into the security doc?
List pgsql-hackers
Recommend always running "initdb -W" and setting all pg_hba entries to md5.

Chris


> -----Original Message-----
> From: pgsql-hackers-owner@postgresql.org
> [mailto:pgsql-hackers-owner@postgresql.org]On Behalf Of Robert Treat
> Sent: Tuesday, 21 January 2003 11:17 PM
> To: Dan Langille
> Cc: pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] What goes into the security doc?
>
>
> I'm not sure how adequately these topics are covered elsewhere, but you
> should probably provide at least a pointer if not improved information:
>
> * Should have a mention of the pgcrypto code in contrib.
>
> * Brain hiccup, but isn't there some type of "password" datatype
>
> * Explanation of problems/solutions of using md5 passwords inside
> postgresql. this has tripped up a lot of people upgrading to 7.3
>
> * possibly go into server resource issues and the pitfalls in giving
> free form sql access to just anyone. (Think unconstrained join on all
> tables in a database)
>
> hth,
>
> Robert Treat
>
> On Mon, 2003-01-20 at 00:01, Dan Langille wrote:
> > With reference to my post to the "PostgreSQL Password Cracker" on
> > 2003-01-02, I've promised to write a security document for the project.
> > Here it is, Sunday night, and I can't sleep.  What better way
> to get there
> > than start this task...
> >
> > My plan is to write this in very simple HTML.  I will post the draft
> > document on my website and post the URL here from time to time for
> > feedback. Please make suggestions for content.  So far, I will
> cover these
> > items:
> >
> > - .pgpass (see
> > http://developer.postgresql.org/docs/postgres/libpq-files.html)
> > - local connections
> > - remote connections (recommending SSL)
> > - pg_hba (only in passing, most of that is at
> > http://www.postgresql.org/idocs/index.php?client-authentication.html)
> > - running the postmaster as a specific user
> >
> > That doesn't sound like much.  Surely you can think of something else to
> > add.  Should I post this to another list for their views?
> >
> > OK, that's done it.  I'm ready for sleep now.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>



pgsql-hackers by date:

Previous
From: "Dann Corbit"
Date:
Subject: Re: [mail] Re: Win32 port patches submitted
Next
From: "Christopher Kings-Lynne"
Date:
Subject: Re: Call for objections: put back OIDs in CREATE TABLE AS/SELECT INTO