Thread: users and passwords problem
PG 7.0.2, RH Linux 6.2
I'm trying to secure access to pgsql databases.
the politic I use is to only allow access databases with passwords.
for this, I use in pg_hba.conf :
local all password
host all 127.0.0.1 255.255.255.255 password
I don't understand why with this configuration I can access to all
databases even if I'm not the owner, for example : If the database test is
owned by user1 and this user has all grants on all tables in this
database, every user created with "CREATE USER ..." (with or without
password) in the local system can run a command like :
user2% psql test -U user1
Welcome to psql, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
test=>
Why this access is allowed ?
How to secure accesses to databases ?
I don't see where is the problem.
Thanks for your suggestions.
Denis Pugnère
Denis Pugnere wrote: > > PG 7.0.2, RH Linux 6.2 > > I'm trying to secure access to pgsql databases. > the politic I use is to only allow access databases with passwords. > > for this, I use in pg_hba.conf : > local all password > host all 127.0.0.1 255.255.255.255 password > > I don't understand why with this configuration I can access to all > databases even if I'm not the owner, for example : If the database test is > owned by user1 and this user has all grants on all tables in this > database, every user created with "CREATE USER ..." (with or without > password) in the local system can run a command like : > > user2% psql test -U user1 > Welcome to psql, the PostgreSQL interactive terminal. > > Type: \copyright for distribution terms > \h for help with SQL commands > \? for help on internal slash commands > \g or terminate with semicolon to execute query > \q to quit > > test=> > > Why this access is allowed ? > How to secure accesses to databases ? Have that "unauthorized" user try a SELECT and see what happens. They are allowed to connect, but not to retrieve any records. -- Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Linux. The choice of a GNU Generation. <http://www.linux.org/>
----- Original Message ----- From: Anthony E. Greene <agreene@pobox.com> To: <pgsql-admin@postgresql.org> Sent: Thursday, July 13, 2000 4:06 PM Subject: Re: [ADMIN] users and passwords problem > Denis Pugnere wrote: > > > > PG 7.0.2, RH Linux 6.2 > > > > I'm trying to secure access to pgsql databases. > > the politic I use is to only allow access databases with passwords. > > (...) > > Why this access is allowed ? > > How to secure accesses to databases ? > > Have that "unauthorized" user try a SELECT and see what happens. They > are allowed to connect, but not to retrieve any records. Yes but they still can create new objects, e.g. "CREATE TABLE foo (id serial, desc varchar(10));" even if they aren't database owners. I think this is a known problem and I've heard it will be soon fixed. Bye, Jacopo
--- Denis Pugnere <Denis.Pugnere@igh.cnrs.fr> wrote: > > PG 7.0.2, RH Linux 6.2 > > I'm trying to secure access to pgsql databases. > the politic I use is to only allow access databases > with passwords. > > for this, I use in pg_hba.conf : > local all password > host all 127.0.0.1 255.255.255.255 password > Why this access is allowed ? You can modify pg_hba.conf in order to allow or deny access to some users to the definite DBs using external password file ( read the manual for details). I think that this method is clumsy, but there is no other way to do this in PostgreSQL and i think this should be completely redone.There is another problem: unfortunately you can't deny cteating of tables in the allowed DBs (This will be fixed in 7.1 according to TODO list). regards, Rumen __________________________________________________ Do You Yahoo!? Get Yahoo! Mail � Free email you can access from anywhere! http://mail.yahoo.com/