Trying to secure PostgreSQL

Andrew L. Gould algould at datawok.com
Fri Sep 12 14:39:39 PDT 2003


On Friday 12 September 2003 03:59 pm, Kirk Strauser wrote:
> I'm running PostgreSQL 7.3 on a FreeBSD 5.1 server.  The databases are
> working well and it's humming along nicely, but I really want to secure it.
>
> In particular, my pg_hba.conf looks like:
>
>    local   all         pgsql                                          
> trust host    all         all         127.0.0.1         255.255.255.255  
> md5 host    all         all         10.0.5.16         255.255.255.255   md5
>
> This isn't very good.  Any user connecting to the machine via the network
> is authenticated as expected, but local connections slide in without
> protection.  The biggest problem with this comes with running phpPgAdmin.
> Since it runs under Apache on the same server, it uses a local connection
> to the database.  That means that Joe User can type
>
>    Username: pgsql
>    Password: <blank>
>
> and have full read/write access to all of my databases.
>
> This is not good.
>
> The alternative seems to be re-writing the first line of pg_hba.conf as
>
>    local   all         all       md5
>
> That works decently, *except* that I have to enter the password for `pgsql'
> before the database startup.
>
> I've Googled for the answer, but there seems to be a tremendous amount of
> chaff with the wheat.  I know other admins have dealt with this; how did
> you handle it?  Is there an important document I'm missing somewhere?

You're looking for something difficult when the easier answer is correct.

As root, set pgsql's password by executing:

passwd pgsql

Best of luck,

Andrew Gould


More information about the freebsd-questions mailing list