From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Michael Fuhr <mike(at)fuhr(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Bugtraq: Having Fun With PostgreSQL |
Date: | 2007-06-18 02:54:23 |
Message-ID: | 4675F3DF.4040403@commandprompt.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane wrote:
> Michael Fuhr <mike(at)fuhr(dot)org> writes:
>> A message entitled "Having Fun With PostgreSQL" was posted to Bugtraq
>> today. I haven't read through the paper yet so I don't know if the
>> author discusses security problems that need attention or if the
>> article is more like a compilation of "Stupid PostgreSQL Tricks."
>> http://www.securityfocus.com/archive/1/471541/30/0/threaded
>
> It appears he's discovered the astonishing facts that
>
> 1. The out-of-the-box authentication setup is "trust".
> 2. A superuser can make the database do whatever he wants (within
> the OS privilege limits of the postgres user).
>
> We've debated #1 before, and a lot of repackagers change it, but I
> don't really feel a strong urge to change it in the source distro.
> As for #2, that's not a bug, it's intended behavior.
On #1, the fact that we allow trust as default is embarrassing. It would
be just as bad as having the default root password be password on a
linux box. We should be using md5 and force passing the password with
initdb.
Sincerely,
Joshua D. Drake
>
> regards, tom lane
>
> PS: I skimmed the paper pretty fast, so it's possible I missed
> something interesting, but it sure looked like "what else is new?"
>
> ---------------------------(end of broadcast)---------------------------
> TIP 7: You can help support the PostgreSQL project by donating at
>
> http://www.postgresql.org/about/donate
>
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/
From | Date | Subject | |
---|---|---|---|
Next Message | Christopher Browne | 2007-06-18 04:38:46 | Re: Bugtraq: Having Fun With PostgreSQL |
Previous Message | Andrew Dunstan | 2007-06-18 02:12:57 | Re: CSVlog vs tabs |