This came across the phpPgAdmin list, and I'm reposting it here in case it
is actually true...? If it is, is it a Postgres or a Debian package issue?
[mailto:phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net]On Behalf Of Guilherme
Sent: Wednesday, 28 November 2001 3:58 AM
Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
Debian comes with a severe configuration fault in postgresql ... in
pg_hba.conf, it uses TRUST as the default authentication method (from
localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
There are DOZENS of sites out there running without any security! And this
is terrible! If I weren't a very nice person and simply didn't change
anything (I could, as postgres is superuser and I can log as it).
Here's how to fix it (on debian, don't know if any other distribution is
log in as postgres
check the pg_shadow table (SELECT * FROM pg_shadow;)
see if everyone has a password (especially user postgres)
After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
local all password
host all 127.0.0.1 255.0.0.0 password
Then it will require a password.
Also, If you wish to block connections from the internet, add this also:
host all 0.0.0.0 0.0.0.0 reject
Please put this on the page or together with PhpPgAdmin's documentation.
(Search google.com with "phppgadmin local:5432" and check for yourself ...
login as postgres and type anything as password!)
Thank you very much for your attention (Please be kind and reply)
Infoage Web Solutions
Sao Paulo - SP - Brazil
pgsql-hackers by date
|Next:||From: Bruce Momjian||Date: 2001-11-28 01:35:24|
|Subject: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results|
|Previous:||From: Jan Wieck||Date: 2001-11-28 00:45:29|
|Subject: Possible bug in new VACUUM code|