Thread: Re: [HACKERS] Is "trust" really a good default?
>>> The only part of this discussion that I'd really be prepared=20 >>> to buy into >>> is the part about *if* you use -W or --pwfile, then set up >pg_hba.conf >>> with MD5 as the default auth (because that's probably what the user >>> wants anyway). > >> Ok. Here is a patch that does this. > >... and rather severely mangles the comments, too; Um, no, it doesn't. At least not on my installation. > not to mention the >more basic problem that the comments will now be wrong. That, however, it is correct :-( Sloppy. How about a text along the line of: CAUTION: Configuring the system for "trust" authentication allows any local user to connect using any PostgreSQL user name, including the superuser, over either Unix domain sockets or TCP/IP. If you are on a multiple-user machine, this is probably not good. Change it to use something other than "trust" authentication. Or something along that line? Since it would no longer actually be default. Or do we want something like "On some installations, the default is..."? //Magnus
Magnus Hagander wrote: > >>> The only part of this discussion that I'd really be prepared=20 > >>> to buy into > >>> is the part about *if* you use -W or --pwfile, then set up > >pg_hba.conf > >>> with MD5 as the default auth (because that's probably what the user > >>> wants anyway). > > > >> Ok. Here is a patch that does this. > > > >... and rather severely mangles the comments, too; > > Um, no, it doesn't. At least not on my installation. > > > > not to mention the > >more basic problem that the comments will now be wrong. > > That, however, it is correct :-( Sloppy. > > How about a text along the line of: > CAUTION: Configuring the system for "trust" authentication allows any > local user to connect using any PostgreSQL user name, including the > superuser, over either Unix domain sockets or TCP/IP. If you are on > a multiple-user machine, this is probably not good. Change it to use > something other than "trust" authentication. New wording: CAUTION: Configuring the system for local "trust" authentication allows any local user to connect as any PostgreSQL user, including the database superuser. If you do not trust all your local users, use another authenication method. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Magnus Hagander wrote: > > not to mention the > >more basic problem that the comments will now be wrong. > > That, however, it is correct :-( Sloppy. > > How about a text along the line of: > CAUTION: Configuring the system for "trust" authentication allows any > local user to connect using any PostgreSQL user name, including the > superuser, over either Unix domain sockets or TCP/IP. If you are on > a multiple-user machine, this is probably not good. Change it to use > something other than "trust" authentication. > > > > Or something along that line? Since it would no longer actually be > default. Or do we want something like "On some installations, the > default is..."? Woh, I didn't think we agreed that the default would change from 'trust', only that we would now emit a warning and allow other authentication methods to be specified at initdb time. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
On Tue, 2004-07-13 at 17:44, Bruce Momjian wrote: > Magnus Hagander wrote: > > > not to mention the > > >more basic problem that the comments will now be wrong. > > > > That, however, it is correct :-( Sloppy. > > > > How about a text along the line of: > > CAUTION: Configuring the system for "trust" authentication allows any > > local user to connect using any PostgreSQL user name, including the > > superuser, over either Unix domain sockets or TCP/IP. If you are on > > a multiple-user machine, this is probably not good. Change it to use > > something other than "trust" authentication. > > > > > > > > Or something along that line? Since it would no longer actually be > > default. Or do we want something like "On some installations, the > > default is..."? > > Woh, I didn't think we agreed that the default would change from > 'trust', only that we would now emit a warning and allow other > authentication methods to be specified at initdb time. > I sure hope not (and that was my understanding as well) Incidentally that warning is a little misleading since it isn't just trust authentication that allows the wide open connections, but the combo of all users / all dbs / trust that does it. For example on one of my development machine I have a guest user who only has read access to a specific database from a limited subnet, but with trust authentication since random people inside the company will sometimes want to take a look at what I am cooking up. For my needs I use the superuser account who can access all databases but must come through ident on a unix socket. Different strokes for different folks eh? Robert Treat -- Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
Robert Treat wrote: > > Woh, I didn't think we agreed that the default would change from > > 'trust', only that we would now emit a warning and allow other > > authentication methods to be specified at initdb time. > > > > I sure hope not (and that was my understanding as well) > > Incidentally that warning is a little misleading since it isn't just > trust authentication that allows the wide open connections, but the > combo of all users / all dbs / trust that does it. For example on one > of my development machine I have a guest user who only has read access > to a specific database from a limited subnet, but with trust > authentication since random people inside the company will sometimes > want to take a look at what I am cooking up. For my needs I use the > superuser account who can access all databases but must come through > ident on a unix socket. Different strokes for different folks eh? Sure, but the point is that the 'trust' line added by initdb is wide-open. Folks who do that fine-grained control will not get confused by the warning, hopefully. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073