Trying to secure PostgreSQL
Kirk Strauser
kirk at strauser.com
Fri Sep 12 13:59:32 PDT 2003
I'm running PostgreSQL 7.3 on a FreeBSD 5.1 server. The databases are
working well and it's humming along nicely, but I really want to secure it.
In particular, my pg_hba.conf looks like:
local all pgsql trust
host all all 127.0.0.1 255.255.255.255 md5
host all all 10.0.5.16 255.255.255.255 md5
This isn't very good. Any user connecting to the machine via the network is
authenticated as expected, but local connections slide in without
protection. The biggest problem with this comes with running phpPgAdmin.
Since it runs under Apache on the same server, it uses a local connection to
the database. That means that Joe User can type
Username: pgsql
Password: <blank>
and have full read/write access to all of my databases.
This is not good.
The alternative seems to be re-writing the first line of pg_hba.conf as
local all all md5
That works decently, *except* that I have to enter the password for `pgsql'
before the database startup.
I've Googled for the answer, but there seems to be a tremendous amount of
chaff with the wheat. I know other admins have dealt with this; how did you
handle it? Is there an important document I'm missing somewhere?
--
Kirk Strauser
"94 outdated ports on the box,
94 outdated ports.
Portupgrade one, an hour 'til done,
82 outdated ports on the box."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030912/04c6cb74/attachment.bin
More information about the freebsd-questions
mailing list