Thread: security

security

From

hubert baumgartner

Date:

17 January 2003, 21:19:14

hi guys ....

i have a few security concerns about postgres database and would like
to know if there is a possibility to compile postgres a way he only
accepts password athentication , and ignores the pg_hba.conf file ....
any ideas ?

I hope to get an answer

lg
hubert


***DISclaimer***
hiermit distanziere ich mich und alle anderen die mich kennen oder
auch nicht von den von mir oder von anderen gemachten aussagen.
sollte irgend jemand anstoss an meinen aeusserungen nehmen, nehme ich
sofort alles zu zurueck und behaupte das gegenteil.
selbstverstaendlich habe ich keine eigene meinung und aeussere diese
auch nicht.
(c) by hubertba- all rights violated
***DISclaimer***

Re: security

From

Tom Lane

Date:

18 January 2003, 02:20:44

hubert baumgartner <hubert_baumgartner@mac.com> writes:
> i have a few security concerns about postgres database and would like
> to know if there is a possibility to compile postgres a way he only
> accepts password athentication , and ignores the pg_hba.conf file ....
> any ideas ?

I suppose you could rip all the auth methods except password out of the
code ... but I cannot imagine a more complete waste of time.  If someone
has write access to the pg_hba.conf file, then they have already broken
into your postgres account or your root account.  The game is over;
there isn't anything in your database that they can't read, change, or
delete.  Even more to the point, there's nothing stopping them from
changing all the database passwords.  What makes you think that password
authentication is one iota more secure than any other method, under
such conditions?

            regards, tom lane