Thread: Pg_hba not using local setting
Hello, Running version 7.1, have the following entry in PG_HBA.CONF: --- Local all trust Host all 123.0.0.0 255.255.255.0 password --- With that setting, anyone can login to the database [via our web based interface] WITHOUT a valid password. If I change local from trust to password then web based users have to enter their specific password to login to the database. But none of the backup scripts run because postgres needs a password. Is this a bug, or do I have a misunderstanding of the local use? Thanks, -jim
On Fri, 2003-03-14 at 17:22, James Hall wrote: > Running version 7.1, have the following entry in PG_HBA.CONF: > --- > Local all trust > Host all 123.0.0.0 255.255.255.0 > password > --- > > With that setting, anyone can login to the database [via our web based > interface] > WITHOUT a valid password. If I change local from trust to password then web > based users have to enter their specific password to login to the database. > But none of the backup scripts run because postgres needs a password. > > Is this a bug, or do I have a misunderstanding of the local use? What is your web interface programmed in? I have setup a tomcat user who can access the database. So only tomcat and the postgres users can access the database. Users log into the application, not the database in my case. I think that might be a better security model. Cheers Tony Grant -- www.tgds.net Library management software toolkit, redhat linux on Sony Vaio C1XD, Dreamweaver MX with Tomcat and PostgreSQL
James Hall <James.Hall@RadioShack.com> writes: > Hello, > > Running version 7.1, have the following entry in PG_HBA.CONF: > --- > Local all trust > Host all 123.0.0.0 255.255.255.0 > password > --- > > With that setting, anyone can login to the database [via our web based > interface] > WITHOUT a valid password. If I change local from trust to password then web > based users have to enter their specific password to login to the database. > But none of the backup scripts run because postgres needs a password. > > Is this a bug, or do I have a misunderstanding of the local use? It sounds like you're running the webserver on the same machine as the database. If this is true, and if you're not using Java (which doesn't do local sockets) the client access library is probably using a local (AF_UNIX) socket to connect, which triggers the "Local" entry in pg_hba.conf. If you explicitly tell the webserver to connect using an IP address, it should come in via a TCP connection and trigger the "Host" line that you have. -Doug
Thanks for your response. I changed pg_hba.conf to include the server ip address as shown below: --- Local all trust Host all 123.456.789.10 255.255.255.0 password --- But still have the same result (users can login with any password if local is set to trust). The web server is on the same machine as the database, no java used. Did I misunderstand your comment regarding telling the webserver to connect using an IP address? Thanks, -jim -----Original Message----- From: Doug McNaught [mailto:doug@mcnaught.org] Sent: Friday, March 14, 2003 10:38 AM To: James Hall Cc: pgsql-general@postgresql.org Subject: Re: [GENERAL] Pg_hba not using local setting James Hall <James.Hall@RadioShack.com> writes: > Hello, > > Running version 7.1, have the following entry in PG_HBA.CONF: > --- > Local all trust > Host all 123.0.0.0 255.255.255.0 > password > --- > > With that setting, anyone can login to the database [via our web based > interface] WITHOUT a valid password. If I change local from trust to > password then web based users have to enter their specific password to > login to the database. But none of the backup scripts run because > postgres needs a password. > > Is this a bug, or do I have a misunderstanding of the local use? It sounds like you're running the webserver on the same machine as the database. If this is true, and if you're not using Java (which doesn't do local sockets) the client access library is probably using a local (AF_UNIX) socket to connect, which triggers the "Local" entry in pg_hba.conf. If you explicitly tell the webserver to connect using an IP address, it should come in via a TCP connection and trigger the "Host" line that you have. -Doug
James Hall <James.Hall@RadioShack.com> writes: > Thanks for your response. > > I changed pg_hba.conf to include the server ip address as shown below: > --- > Local all trust > Host all 123.456.789.10 255.255.255.0 > password > --- > > But still have the same result (users can login with any password if local > is set to trust). The web server is on the same machine as the database, no > java used. > > Did I misunderstand your comment regarding telling the webserver to connect > using an IP address? Yes. You need to set the webapp's database config to make it connect to an IP address instead of using the Unix socket (which it does by default for same-machine connections). I can't tell you how to do this because you haven't said what language/app server you're using for the website. -Doug
I thought I may be confused. I am using RH 7.1(apache) and perl. Thanks, -jim -----Original Message----- From: Doug McNaught [mailto:doug@mcnaught.org] Sent: Friday, March 14, 2003 12:49 PM To: James Hall Cc: pgsql-general@postgresql.org Subject: Re: [GENERAL] Pg_hba not using local setting James Hall <James.Hall@RadioShack.com> writes: > Thanks for your response. > > I changed pg_hba.conf to include the server ip address as shown below: > --- > Local all trust > Host all 123.456.789.10 255.255.255.0 > password > --- > > But still have the same result (users can login with any password if > local is set to trust). The web server is on the same machine as the > database, no java used. > > Did I misunderstand your comment regarding telling the webserver to > connect using an IP address? Yes. You need to set the webapp's database config to make it connect to an IP address instead of using the Unix socket (which it does by default for same-machine connections). I can't tell you how to do this because you haven't said what language/app server you're using for the website. -Doug
On Fri, 2003-03-14 at 18:48, Doug McNaught wrote: > James Hall <James.Hall@RadioShack.com> writes: > > > Thanks for your response. > > > > I changed pg_hba.conf to include the server ip address as shown below: > > --- > > Local all trust > > Host all 123.456.789.10 255.255.255.0 > > password > > --- > > > > But still have the same result (users can login with any password if local > > is set to trust). The web server is on the same machine as the database, no > > java used. > > > > Did I misunderstand your comment regarding telling the webserver to connect > > using an IP address? > > Yes. > > You need to set the webapp's database config to make it connect to > an IP address instead of using the Unix socket (which it does by > default for same-machine connections). I can't tell you how to do > this because you haven't said what language/app server you're using > for the website. The webserver is on the same mahine and is not specifying a hostname when it connects to PostgreSQL; therefore a Unix socket is used and the local line in pg_hba.conf governs it. If you tell it to connect to localhost, it will use TCP/IP instead. You then need a host line for 127.0.0.1. -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "Bless them which persecute you; bless, and curse not. Rejoice with them that do rejoice, and weep with them that weep. Recompense to no man evil for evil. Provide things honest in the sight of all men." Romans 12:14,15,17