| From: | "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | "Robert Treat" <xzilla(at)users(dot)sourceforge(dot)net>, "Dan Langille" <dan(at)langille(dot)org> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: What goes into the security doc? |
| Date: | 2003-01-22 05:29:33 |
| Message-ID: | GNELIHDDFBOCMGBFGEFOGECMCFAA.chriskl@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs pgsql-hackers |
Recommend always running "initdb -W" and setting all pg_hba entries to md5.
Chris
> -----Original Message-----
> From: pgsql-hackers-owner(at)postgresql(dot)org
> [mailto:pgsql-hackers-owner(at)postgresql(dot)org]On Behalf Of Robert Treat
> Sent: Tuesday, 21 January 2003 11:17 PM
> To: Dan Langille
> Cc: pgsql-hackers(at)postgresql(dot)org
> Subject: Re: [HACKERS] What goes into the security doc?
>
>
> I'm not sure how adequately these topics are covered elsewhere, but you
> should probably provide at least a pointer if not improved information:
>
> * Should have a mention of the pgcrypto code in contrib.
>
> * Brain hiccup, but isn't there some type of "password" datatype
>
> * Explanation of problems/solutions of using md5 passwords inside
> postgresql. this has tripped up a lot of people upgrading to 7.3
>
> * possibly go into server resource issues and the pitfalls in giving
> free form sql access to just anyone. (Think unconstrained join on all
> tables in a database)
>
> hth,
>
> Robert Treat
>
> On Mon, 2003-01-20 at 00:01, Dan Langille wrote:
> > With reference to my post to the "PostgreSQL Password Cracker" on
> > 2003-01-02, I've promised to write a security document for the project.
> > Here it is, Sunday night, and I can't sleep. What better way
> to get there
> > than start this task...
> >
> > My plan is to write this in very simple HTML. I will post the draft
> > document on my website and post the URL here from time to time for
> > feedback. Please make suggestions for content. So far, I will
> cover these
> > items:
> >
> > - .pgpass (see
> > http://developer.postgresql.org/docs/postgres/libpq-files.html)
> > - local connections
> > - remote connections (recommending SSL)
> > - pg_hba (only in passing, most of that is at
> > http://www.postgresql.org/idocs/index.php?client-authentication.html)
> > - running the postmaster as a specific user
> >
> > That doesn't sound like much. Surely you can think of something else to
> > add. Should I post this to another list for their views?
> >
> > OK, that's done it. I'm ready for sleep now.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Elphick | 2003-01-23 18:32:38 | Patch for minor error |
| Previous Message | Robert Treat | 2003-01-21 15:16:31 | Re: What goes into the security doc? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christopher Kings-Lynne | 2003-01-22 05:32:52 | Re: Call for objections: put back OIDs in CREATE TABLE AS/SELECT INTO |
| Previous Message | Dann Corbit | 2003-01-22 00:53:12 | Re: [mail] Re: Win32 port patches submitted |