Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens

This is a known problem. I just updated the documentation today to
stress that local users have full access to any database by default, and
that initdb -W and changing pg_hba.conf to password/md5 are the best
ways to fix this.

---------------------------------------------------------------------------

> Hi guys,
>
> This came across the phpPgAdmin list, and I'm reposting it here in case it
> is actually true...? If it is, is it a Postgres or a Debian package issue?
>
> Chris
>
> -----Original Message-----
> From: phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net
> [mailto:phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net]On Behalf Of Guilherme
> Barile
> Sent: Wednesday, 28 November 2001 3:58 AM
> To: phpPgAdmin-devel(at)lists(dot)sourceforge(dot)net
> Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
> anyone!
>
>
> Debian comes with a severe configuration fault in postgresql ... in
> pg_hba.conf, it uses TRUST as the default authentication method (from
> localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
> password.
>
> There are DOZENS of sites out there running without any security! And this
> is terrible! If I weren't a very nice person and simply didn't change
> anything (I could, as postgres is superuser and I can log as it).
> Here's how to fix it (on debian, don't know if any other distribution is
> affected):
> log in as postgres
> run psql
> check the pg_shadow table (SELECT * FROM pg_shadow;)
> see if everyone has a password (especially user postgres)
>
> After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
> following lines:
>
> local all password
> host all 127.0.0.1 255.0.0.0 password
>
> Then it will require a password.
> Also, If you wish to block connections from the internet, add this also:
>
> host all 0.0.0.0 0.0.0.0 reject
>
> Please put this on the page or together with PhpPgAdmin's documentation.
> (Search google.com with "phppgadmin local:5432" and check for yourself ...
> login as postgres and type anything as password!)
>
>
> Thank you very much for your attention (Please be kind and reply)
>
> Guilherme Barile
> Infoage Web Solutions
> Sao Paulo - SP - Brazil
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026