| From: | Andrew Bailey <hazlorealidad(at)gmail(dot)com> |
|---|---|
| To: | Thom Brown <thombrown(at)gmail(dot)com> |
| Cc: | PGSQL Mailing List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Too easy to log in as the "postgres" user? |
| Date: | 2009-10-15 13:24:57 |
| Message-ID: | 5bb15ef10910150624p4646ff56oc62f46f4a2639b6b@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thom,
You appear to be trusting all connections what I think you want is the
following:
local all all ident sameuser
# IPv4 local connections:
host all all 127.0.0.1/32 ident sameuser
# IPv6 local connections:
host all all ::1/128 ident sameuser
Remember that you need to get postgres to reread the file after
changing it by using pg_ctl reload or kill -HUP {pid}
Andy Bailey
On Thu, Oct 15, 2009 at 5:38 AM, Thom Brown <thombrown(at)gmail(dot)com> wrote:
> I've noticed that if I just log in to my server, I don't su to root,
> or become the postgres user, I can get straight into the database as
> the postgres user merely with "psql -U postgres -h localhost". My
> user account isn't a member of the postgres group.
>
> It appears I've not applied my security settings correctly. What can
> I do to prevent access this way? I'd still want to be able to su to
> the postgres user and log in that way, but not with the -U parameter
> allowing access.
>
> The pg_hba.conf is probably relevant here, so this is the setup:
>
> # TYPE DATABASE USER CIDR-ADDRESS METHOD
>
> # "local" is for Unix domain socket connections only
> local all all trust
> # IPv4 local connections:
> host all all 127.0.0.1/32 trust
> # IPv6 local connections:
> host all all ::1/128 trust
>
> Thanks
>
> Thom Brown
> Crawley, UK
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>
--
Andrew Bailey
(312) 866 9556
NOTA DE CONFIDENCIALIDAD Y DE NO DIVULGACIÓN:
La información contenida en este E-mail y sus archivos adjuntos es
confidencial y sólo puede ser utilizada por el individuo
o la empresa a la cual está dirigido. Si no es el receptor autorizado,
cualquier retención, difusión,
distribución o copia de este mensaje queda prohibida y sancionada por
la ley. Si por error recibe este
mensaje, favor devolverlo y borrarlo inmediatamente.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2009-10-15 14:21:16 | Re: Too easy to log in as the "postgres" user? |
| Previous Message | Stephen Frost | 2009-10-15 13:03:20 | Re: Too easy to log in as the "postgres" user? |