From: | Marcel Gsteiger <marcel(dot)gsteiger(at)milprog(dot)ch> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: postgres 7.1 security problem? |
Date: | 2001-06-06 07:04:29 |
Message-ID: | 3B1DD5FD.E3DE6442@milprog.ch |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
My pg_hba.conf obviously says trust when it shouldn't.
Meanwhile I changed that. Sorry, I did not know that all passwords are being
ignored when one uses trust in pg_hba.conf. However, I still have to use trust
authentication for my webapps. Obviously someone broke in my database this
way. I will have to change serveral things, e.g. install users with read-only
privileges on some databases. I also use ODBC to remotely access my databases,
but this works only with plaintext password authentication, which is quite a
security risk. Maybe I will have to install CIPE or something similar to
encrypt my database connection.
Thanks for your response.
--Marcel
Stephan Szabo schrieb:
> What does your pg_hba.conf say?
>
> On Wed, 30 May 2001, Marcel Gsteiger wrote:
>
> > My postgres 7.1 now runs for several weeks without problems. Today I
> > suddenly got aware of the fact that no passwords are needed anymore to
> > login to any database.
> >
> > Seems that the security system has been defeated on some way. pg_dumpall
> > -g still shows the correct users and passwords.
> >
> > I don't know what went wrong here. This is a very severe situation for
> > me, so I would much appreciate any hint on how I could check the
> > security system and make it work again.
> >
> > My postmaster gets started with the following command:
> >
> > su -l postgres -c "/usr/local/pgsql/bin/pg_ctl -D $PGDATA -p
> > /usr/local/pgsql/bin/postmaster -o "-i" start >/dev/null 2>&1" <
> > /dev/null
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
From | Date | Subject | |
---|---|---|---|
Next Message | Gordan Bobic | 2001-06-06 07:54:31 | Re: Text data type doesn't accept newlines? |
Previous Message | Tom Lane | 2001-06-06 06:16:15 | Re: Specifying psql password on command line |