Thread

  1. Local Host Security? All users should have passwords optionally...

    PostgreSQL Bugs List <pgsql-bugs@postgresql.org> — 2001-03-26T22:08:41Z

    Ivn Baldo (ivan.baldo@pilasnet.com) reports a bug with a severity of 2
    The lower the number the more severe it is.
    
    Short Description
    Local Host Security? All users should have passwords optionally...
    
    Long Description
    I wanted to add passwords to all the users on the database, including the postgres user, etc. Then everything is authenticated using "crypt" method, so it asks passwords EVERYTIME.
    The problem I found is that I cannot do a "pg_dumpall" anymore, since I have no way to tell it to use the "postgres" user with a given password. It tries to use the user "root" without password and it fails miserably!
    What happens if a hacker (or worst, a cracker!) enters to the machine somehow and I don't ask passwords for unix domain sockets? Well, it has access to all my data... Ok, this should not happen, but I worry if it happens and I think it is important to enforce the security a little more in Postgres. The documentation doesn't say anything about this...
    
    Sample Code
    
    
    No file was uploaded with this report
    
    
    
  2. Re: Local Host Security? All users should have passwords optionally...

    Peter Eisentraut <peter_e@gmx.net> — 2001-03-27T15:56:00Z

    > Iván Baldo (ivan.baldo@pilasnet.com) reports a bug with a severity of 2
    
    > I wanted to add passwords to all the users on the database, including
    > the postgres user, etc. Then everything is authenticated using "crypt"
    > method, so it asks passwords EVERYTIME. The problem I found is that I
    > cannot do a "pg_dumpall" anymore, since I have no way to tell it to
    > use the "postgres" user with a given password.
    
    This is a known problem.  You could try to patch pg_dumpall to pass the -u
    option every time it calls pg_dump and psql.
    
    > It tries to use the
    > user "root" without password and it fails miserably! What happens if a
    > hacker (or worst, a cracker!) enters to the machine somehow and I
    > don't ask passwords for unix domain sockets?
    
    Try changing the permissions on the socket file (chmod).
    
    -- 
    Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/