Skip site navigation (1) Skip section navigation (2)

Re: Bugtraq: Having Fun With PostgreSQL

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Steve Atkins <steve(at)blighty(dot)com>, pgsql-hackers(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net>
Subject: Re: Bugtraq: Having Fun With PostgreSQL
Date: 2007-06-24 16:30:30
Message-ID: 467E9C26.8010502@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> Steve Atkins <steve(at)blighty(dot)com> writes:
>   
>> On Jun 23, 2007, at 11:03 AM, Magnus Hagander wrote:
>>     
>>> Out of curiosity, how do other databases deal with this?
>>>       
>
>   
>> MySQL installs with an empty root password for access from
>> localhost or the machines own IP address. It also installs an
>> account with network access to any database beginning with
>> "test" and possibly some more ill-defined accounts with local
>> access.
>>     
>
> FWIW, on mysql 5.0.42 I see only "root(at)localhost" and "root(at)127(dot)0(dot)0(dot)1"
> in a fresh-out-of-the-box installation; not sure where you got these
> other accounts, maybe a distro-specific modification?
>
> But the bottom line is that mysql's out-of-the-box behavior is
> *exactly* like our trust-for-local-connections behavior.  Anyone
> on the box can do "mysql -u root ..." and the server will accept
> them as being superuser (they don't even have to know to enter an
> empty password, in my experience).
>   


This is all documented. For 5.1.x see: 
http://dev.mysql.com/doc/refman/5.1/en/default-privileges.html

Perhaps we should add a section to our docs on securing the database.

cheers

andredw


In response to

pgsql-hackers by date

Next:From: Andrew DunstanDate: 2007-06-24 17:23:12
Subject: msvc and vista fun
Previous:From: Tom LaneDate: 2007-06-24 15:55:09
Subject: Re: Bugtraq: Having Fun With PostgreSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group