Re: Open 7.3 items

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Tom Lane wrote:
> > Socket permissions - only install user can access db by default
> >> 
> >> I do not agree with this goal.
> 
> > OK, this is TODO item:
> 
> > * Make single-user local access permissions the default by limiting
> >   permissions on the socket file (Peter E)
> 
> Yes, I know what the TODO item says, and I disagree with it.
> 
> If we make the default permissions 700, then it's impossible to access
> the database unless you run as the database owner.  This is not a
> security improvement --- it's more like claiming that a Linux system
> would be more secure if you got rid of ordinary users and did all your
> work as root.  We should *not* encourage people to operate that way.
> (It's certainly unworkable for RPM distributions anyway; only a user
> who is hand-building a test installation under his own account would
> possibly think that this is a useful default.)

I hope they would loosen the default in postgresql.conf rather than
having everyone come in as the same user.  By the time you create new
user accounts, it is trivial to modify postgresql.conf.

> I could see a default setup that made the permissions 770, allowing
> access to anyone in the postgres group; that would at least bear some
> slight resemblance to a workable production setup.  However, this
> assumes that the DBA has root privileges, else he'll not be able to
> add/remove users from the postgres group.  Also, on systems where users
> all belong to the same "users" group, 770 isn't really better than 777.

Yes, groups are nice, but in most cases with a group 'users', it is the
same as world-writable.

> The bottom line here is that there isn't any default protection setup
> that is really widely useful.  Everyone's got to adjust the thing to
> fit their own circumstances.  I'd rather see us spend more documentation
> effort on pointing this out and explaining the alternatives, and not
> think that we can solve the problem by making the default installation
> so tight as to be useless.

I think we are much safer shipping as secure and asking people to loosen
it if they want wider access.  I can imagine a Bugtrack item for
PostgreSQL where they report we ship wide-open for local users.  They
have already reported we don't encrypt our passwords, and we are dealing
with that.  You can say that we tell people to change the default, but
if we install that way, they have a legitimate grip, and PostgreSQL has a
perception problem.

The default unix permissions are world-readable, owner-writable.  We
ship with world-read/write.  I know of _no_ other software that does
that and I can't see how we get away with it.  I will also add that I am
the biggest proponent of tightening things up and on one else seems to
be as concerned about it.  I am not sure why.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026