On 6/25/07, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Andrew Sullivan <ajs(at)crankycanuck(dot)ca> writes:
> > On Mon, Jun 25, 2007 at 01:31:52PM -0400, Tom Lane wrote:
> >> Why is that better than the initdb-time option we already have?
> >> Locking down options earlier rather than later is usually not a win.
> > Like I said, I don't actually think it _is_ better. But it would
> > solve the problem that some people think it's a bad thing that you
> > run superuser-type commands without reading the manual, and then get
> > a badly-secured system. (The idea here, incidentally, is not to
> > replace the initdb-time option, but to set the default of the initdb
> > command.)
> But, per previous discussion, the people that would be affected are
> only the ones building from source. If they didn't read the manual
> for initdb (nor notice the warning it puts out about trust auth),
> they *certainly* didn't look for any nonstandard configure options.
> The normal build process for any open-source package is
> sudo make install
> ... now what? OK, time to read the manual ...
Since they presumably don't know about initdb yet, yeah, I figure
they'll be reading the manual. We already talk about how to initdb.
It seems reasonable to have the manual talk about how to initially
connect to your "secure by default" database and create a
non-superuser working user.
I like the idea of it being a configure flag, it seems the least
invasive way to do it.
In response to
pgsql-hackers by date
|Next:||From: Tom Lane||Date: 2007-06-25 23:31:28|
|Subject: Re: Bugtraq: Having Fun With PostgreSQL |
|Previous:||From: Jim Nasby||Date: 2007-06-25 23:11:26|
|Subject: Re: Winner of naming discussions: Synchronous Commit|