Thread: Local Host Security? All users should have passwords optionally...

Local Host Security? All users should have passwords optionally...

From
pgsql-bugs@postgresql.org
Date:
Iván Baldo (ivan.baldo@pilasnet.com) reports a bug with a severity of 2
The lower the number the more severe it is.

Short Description
Local Host Security? All users should have passwords optionally...

Long Description
I wanted to add passwords to all the users on the database, including the postgres user, etc. Then everything is
authenticatedusing "crypt" method, so it asks passwords EVERYTIME. 
The problem I found is that I cannot do a "pg_dumpall" anymore, since I have no way to tell it to use the "postgres"
userwith a given password. It tries to use the user "root" without password and it fails miserably! 
What happens if a hacker (or worst, a cracker!) enters to the machine somehow and I don't ask passwords for unix domain
sockets?Well, it has access to all my data... Ok, this should not happen, but I worry if it happens and I think it is
importantto enforce the security a little more in Postgres. The documentation doesn't say anything about this... 

Sample Code


No file was uploaded with this report

Re: Local Host Security? All users should have passwords optionally...

From
Peter Eisentraut
Date:
> Iván Baldo (ivan.baldo@pilasnet.com) reports a bug with a severity of 2

> I wanted to add passwords to all the users on the database, including
> the postgres user, etc. Then everything is authenticated using "crypt"
> method, so it asks passwords EVERYTIME. The problem I found is that I
> cannot do a "pg_dumpall" anymore, since I have no way to tell it to
> use the "postgres" user with a given password.

This is a known problem.  You could try to patch pg_dumpall to pass the -u
option every time it calls pg_dump and psql.

> It tries to use the
> user "root" without password and it fails miserably! What happens if a
> hacker (or worst, a cracker!) enters to the machine somehow and I
> don't ask passwords for unix domain sockets?

Try changing the permissions on the socket file (chmod).

--
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/