FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone! - Mailing list pgsql-hackers

From Christopher Kings-Lynne
Subject FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
Date
Msg-id GNELIHDDFBOCMGBFGEFOOEJECAAA.chriskl@familyhealth.com.au
Whole thread Raw
Responses Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens
Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
List pgsql-hackers
Hi guys,

This came across the phpPgAdmin list, and I'm reposting it here in case it
is actually true...?  If it is, is it a Postgres or a Debian package issue?

Chris

-----Original Message-----
From: phppgadmin-devel-admin@lists.sourceforge.net
[mailto:phppgadmin-devel-admin@lists.sourceforge.net]On Behalf Of Guilherme
Barile
Sent: Wednesday, 28 November 2001 3:58 AM
To: phpPgAdmin-devel@lists.sourceforge.net
Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
anyone!


Debian comes with a severe configuration fault in postgresql ... in
pg_hba.conf, it uses TRUST as the default authentication method (from
localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
password.

There are DOZENS of sites out there running without any security! And this
is terrible! If I weren't a very nice person and simply didn't change
anything (I could, as postgres is superuser and I can log as it).
Here's how to fix it (on debian, don't know if any other distribution is
affected):
log in as postgres
run psql
check the pg_shadow table (SELECT * FROM pg_shadow;)
see if everyone has a password (especially user postgres)

After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
following lines:

local        all                                           password
host         all         127.0.0.1     255.0.0.0           password

Then it will require a password.
Also, If you wish to block connections from the internet, add this also:

host         all         0.0.0.0       0.0.0.0             reject

Please put this on the page or together with PhpPgAdmin's documentation.
(Search google.com with "phppgadmin local:5432" and check for yourself ...
login as postgres and type anything as password!)


Thank you very much for your attention (Please be kind and reply)

Guilherme Barile
Infoage Web Solutions
Sao Paulo - SP - Brazil



pgsql-hackers by date:

Previous
From: Jan Wieck
Date:
Subject: Possible bug in new VACUUM code
Next
From: Bruce Momjian
Date:
Subject: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results