Denis Pugnere wrote:
> PG 7.0.2, RH Linux 6.2
> I'm trying to secure access to pgsql databases.
> the politic I use is to only allow access databases with passwords.
> for this, I use in pg_hba.conf :
> local all password
> host all 127.0.0.1 255.255.255.255 password
> I don't understand why with this configuration I can access to all
> databases even if I'm not the owner, for example : If the database test is
> owned by user1 and this user has all grants on all tables in this
> database, every user created with "CREATE USER ..." (with or without
> password) in the local system can run a command like :
> user2% psql test -U user1
> Welcome to psql, the PostgreSQL interactive terminal.
> Type: \copyright for distribution terms
> \h for help with SQL commands
> \? for help on internal slash commands
> \g or terminate with semicolon to execute query
> \q to quit
> Why this access is allowed ?
> How to secure accesses to databases ?
Have that "unauthorized" user try a SELECT and see what happens. They
are allowed to connect, but not to retrieve any records.
Anthony E. Greene <agreene(at)pobox(dot)com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
Linux. The choice of a GNU Generation. <http://www.linux.org/>
In response to
pgsql-admin by date
|Next:||From: Jerome Slangen||Date: 2000-07-13 16:23:48|
|Subject: Installation & perf tuning under Linux PPC|
|Previous:||From: Denis Pugnere||Date: 2000-07-13 13:43:54|
|Subject: users and passwords problem|