Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens
От | Bruce Momjian |
---|---|
Тема | Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens |
Дата | |
Msg-id | 200111280150.fAS1oSv05626@candle.pha.pa.us обсуждение исходный текст |
Ответ на | FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone! ("Christopher Kings-Lynne" <chriskl@familyhealth.com.au>) |
Список | pgsql-hackers |
This is a known problem. I just updated the documentation today to stress that local users have full access to any database by default, and that initdb -W and changing pg_hba.conf to password/md5 are the best ways to fix this. --------------------------------------------------------------------------- > Hi guys, > > This came across the phpPgAdmin list, and I'm reposting it here in case it > is actually true...? If it is, is it a Postgres or a Debian package issue? > > Chris > > -----Original Message----- > From: phppgadmin-devel-admin@lists.sourceforge.net > [mailto:phppgadmin-devel-admin@lists.sourceforge.net]On Behalf Of Guilherme > Barile > Sent: Wednesday, 28 November 2001 3:58 AM > To: phpPgAdmin-devel@lists.sourceforge.net > Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for > anyone! > > > Debian comes with a severe configuration fault in postgresql ... in > pg_hba.conf, it uses TRUST as the default authentication method (from > localhost) ... as phpPgAdmin runs on localhost, anyone can login without a > password. > > There are DOZENS of sites out there running without any security! And this > is terrible! If I weren't a very nice person and simply didn't change > anything (I could, as postgres is superuser and I can log as it). > Here's how to fix it (on debian, don't know if any other distribution is > affected): > log in as postgres > run psql > check the pg_shadow table (SELECT * FROM pg_shadow;) > see if everyone has a password (especially user postgres) > > After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the > following lines: > > local all password > host all 127.0.0.1 255.0.0.0 password > > Then it will require a password. > Also, If you wish to block connections from the internet, add this also: > > host all 0.0.0.0 0.0.0.0 reject > > Please put this on the page or together with PhpPgAdmin's documentation. > (Search google.com with "phppgadmin local:5432" and check for yourself ... > login as postgres and type anything as password!) > > > Thank you very much for your attention (Please be kind and reply) > > Guilherme Barile > Infoage Web Solutions > Sao Paulo - SP - Brazil > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления:
Предыдущее
От: Bruce MomjianДата:
Сообщение: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results