Re: Online documentation unclear about authentication defaults

Alvaro Herrera wrote:
> bubblboy wrote:
>> Hi,
>>
>> After following the postgresql tutorial for setting up a postgresql
>> server [1] I noticed that I could log in without entering my password.
>> The documentation did not tell me this (maybe I overlooked it),
>> eventhough it does show you how to create roles with passwords. In my
>> opinion it would be a good idea to include a warning like "the default
>> installation trusts everybody that can make a connection to the
>> database" because it could lead to some (problematic) confusions.
>>
>> I didn't check extensively in the docs to see if there actually was such
>> a warning, particularly because I felt that if there was, it was
>> probably not prominent enough (or I would have noticed). Sorry if there
>> was indeed a big warning splattered over the tutorial somewhere.
>
> The tutorial indeed neglects warning you about that, but initdb doesn't.
> It outputs these lines
>
> WARNING: enabling "trust" authentication for local connections
> You can change this by editing pg_hba.conf or using the -A option the
> next time you run initdb.
>
>
> Maybe this is not strong enough, or not scary enough?

Hmm,

You are right, I ran initdb a few weeks ago and continued today.
Personally, I would say that it wouldn't be a bad idea to include a
second warning in the documentation nonetheless, just to emphasize it
(or maybe make the initdb message a little more prominent - who knows).
I can imagine that I saw all that output and thought "oh well, I'm
following the tutorial so this won't be very interesting", but maybe
(probably) that's just plain stupid :)

Greetings,
bb