Alvaro Herrera wrote:
> bubblboy wrote:
>> After following the postgresql tutorial for setting up a postgresql
>> server  I noticed that I could log in without entering my password.
>> The documentation did not tell me this (maybe I overlooked it),
>> eventhough it does show you how to create roles with passwords. In my
>> opinion it would be a good idea to include a warning like "the default
>> installation trusts everybody that can make a connection to the
>> database" because it could lead to some (problematic) confusions.
>> I didn't check extensively in the docs to see if there actually was such
>> a warning, particularly because I felt that if there was, it was
>> probably not prominent enough (or I would have noticed). Sorry if there
>> was indeed a big warning splattered over the tutorial somewhere.
> The tutorial indeed neglects warning you about that, but initdb doesn't.
> It outputs these lines
> WARNING: enabling "trust" authentication for local connections
> You can change this by editing pg_hba.conf or using the -A option the
> next time you run initdb.
> Maybe this is not strong enough, or not scary enough?
You are right, I ran initdb a few weeks ago and continued today.
Personally, I would say that it wouldn't be a bad idea to include a
second warning in the documentation nonetheless, just to emphasize it
(or maybe make the initdb message a little more prominent - who knows).
I can imagine that I saw all that output and thought "oh well, I'm
following the tutorial so this won't be very interesting", but maybe
(probably) that's just plain stupid :)
In response to
pgsql-docs by date
|Next:||From: Bruce Momjian||Date: 2007-02-08 03:57:22|
|Subject: Re: [HACKERS] [PATCHES] [PERFORM] Direct I/O issues|
|Previous:||From: Alvaro Herrera||Date: 2007-02-07 03:43:55|
|Subject: Re: Online documentation unclear about authentication defaults|