Thread: users and passwords problem

users and passwords problem

From
Denis Pugnere
Date:
PG 7.0.2, RH Linux 6.2

I'm trying to secure access to pgsql databases.
the politic I use is to only allow access databases with passwords.

for this, I use in pg_hba.conf :
local    all                     password
host    all    127.0.0.1    255.255.255.255    password


I don't understand why with this configuration I can access to all
databases even if I'm not the owner, for example : If the database test is
owned by user1 and this user has all grants on all tables in this
database, every user created with "CREATE USER ..." (with or without
password) in the local system can run a command like :

user2% psql test -U user1
Welcome to psql, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

test=>

Why this access is allowed ?
How to secure accesses to databases ?

I don't see where is the problem.
Thanks for your suggestions.

Denis Pugnère


Re: users and passwords problem

From
"Anthony E. Greene"
Date:
Denis Pugnere wrote:
>
> PG 7.0.2, RH Linux 6.2
>
> I'm trying to secure access to pgsql databases.
> the politic I use is to only allow access databases with passwords.
>
> for this, I use in pg_hba.conf :
> local   all                                     password
> host    all     127.0.0.1       255.255.255.255 password
>
> I don't understand why with this configuration I can access to all
> databases even if I'm not the owner, for example : If the database test is
> owned by user1 and this user has all grants on all tables in this
> database, every user created with "CREATE USER ..." (with or without
> password) in the local system can run a command like :
>
> user2% psql test -U user1
> Welcome to psql, the PostgreSQL interactive terminal.
>
> Type:  \copyright for distribution terms
>        \h for help with SQL commands
>        \? for help on internal slash commands
>        \g or terminate with semicolon to execute query
>        \q to quit
>
> test=>
>
> Why this access is allowed ?
> How to secure accesses to databases ?

Have that "unauthorized" user try a SELECT and see what happens. They
are allowed to connect, but not to retrieve any records.

--
Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
Linux. The choice of a GNU Generation. <http://www.linux.org/>

R: users and passwords problem

From
"Jacopo Silva"
Date:
----- Original Message -----
From: Anthony E. Greene <agreene@pobox.com>
To: <pgsql-admin@postgresql.org>
Sent: Thursday, July 13, 2000 4:06 PM
Subject: Re: [ADMIN] users and passwords problem


> Denis Pugnere wrote:
> >
> > PG 7.0.2, RH Linux 6.2
> >
> > I'm trying to secure access to pgsql databases.
> > the politic I use is to only allow access databases with passwords.
> >  (...)
> > Why this access is allowed ?
> > How to secure accesses to databases ?
>
> Have that "unauthorized" user try a SELECT and see what happens. They
> are allowed to connect, but not to retrieve any records.

Yes but they still can create new objects, e.g. "CREATE TABLE foo (id
serial, desc varchar(10));"
even if they aren't database owners.  I think this is a known problem and
I've heard it will be
soon fixed.

Bye,

Jacopo




Re: users and passwords problem

From
R D
Date:
--- Denis Pugnere <Denis.Pugnere@igh.cnrs.fr> wrote:
>
> PG 7.0.2, RH Linux 6.2
>
> I'm trying to secure access to pgsql databases.
> the politic I use is to only allow access databases
> with passwords.
>
> for this, I use in pg_hba.conf :
> local    all                     password
> host    all    127.0.0.1   255.255.255.255 password

> Why this access is allowed ?

You can modify pg_hba.conf in order to allow or deny
access to some users to the definite DBs using
external password file ( read the manual for details).
I think that this method is clumsy, but there is no
other way to do this in PostgreSQL and i think this
should be completely redone.There is another problem:
unfortunately you can't deny cteating of tables in the
allowed DBs (This will be fixed in 7.1 according to
TODO list).

regards,
Rumen

__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail � Free email you can access from anywhere!
http://mail.yahoo.com/