Trying to secure PostgreSQL
Andrew L. Gould
algould at datawok.com
Fri Sep 12 14:39:39 PDT 2003
On Friday 12 September 2003 03:59 pm, Kirk Strauser wrote:
> I'm running PostgreSQL 7.3 on a FreeBSD 5.1 server. The databases are
> working well and it's humming along nicely, but I really want to secure it.
>
> In particular, my pg_hba.conf looks like:
>
> local all pgsql
> trust host all all 127.0.0.1 255.255.255.255
> md5 host all all 10.0.5.16 255.255.255.255 md5
>
> This isn't very good. Any user connecting to the machine via the network
> is authenticated as expected, but local connections slide in without
> protection. The biggest problem with this comes with running phpPgAdmin.
> Since it runs under Apache on the same server, it uses a local connection
> to the database. That means that Joe User can type
>
> Username: pgsql
> Password: <blank>
>
> and have full read/write access to all of my databases.
>
> This is not good.
>
> The alternative seems to be re-writing the first line of pg_hba.conf as
>
> local all all md5
>
> That works decently, *except* that I have to enter the password for `pgsql'
> before the database startup.
>
> I've Googled for the answer, but there seems to be a tremendous amount of
> chaff with the wheat. I know other admins have dealt with this; how did
> you handle it? Is there an important document I'm missing somewhere?
You're looking for something difficult when the easier answer is correct.
As root, set pgsql's password by executing:
passwd pgsql
Best of luck,
Andrew Gould
More information about the freebsd-questions
mailing list