Re: Postgres Security Checklist

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
Cc: eduardohitek(at)gmail(dot)com, pgsql-general(at)postgresql(dot)org
Subject: Re: Postgres Security Checklist
Date: 2009-04-06 14:00:24
Message-ID: 27274.1239026424@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> writes:
> Here is my personal security checklist for PostgreSQL:

> - Check that there is no SQL function with SECURITY DEFINER.

Uh, that seems a pretty strange restriction. Generally, if you are
actually concerned about security at the SQL-command level, you're
going to have to have some SECURITY DEFINER functions. You can't
build a Unix system without suid programs, either.

> - Check that pg_hba.conf forbids remote connections to use "password", "crypt" or "ident" authentication.

Most people think that remote "ident" is not very secure.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2009-04-06 14:11:39 Re: Number Conversion Function
Previous Message eehab hamzeh 2009-04-06 13:46:19 compiling c function using MinGW