Denis Pugnere wrote:
>
> PG 7.0.2, RH Linux 6.2
>
> I'm trying to secure access to pgsql databases.
> the politic I use is to only allow access databases with passwords.
>
> for this, I use in pg_hba.conf :
> local all password
> host all 127.0.0.1 255.255.255.255 password
>
> I don't understand why with this configuration I can access to all
> databases even if I'm not the owner, for example : If the database test is
> owned by user1 and this user has all grants on all tables in this
> database, every user created with "CREATE USER ..." (with or without
> password) in the local system can run a command like :
>
> user2% psql test -U user1
> Welcome to psql, the PostgreSQL interactive terminal.
>
> Type: \copyright for distribution terms
> \h for help with SQL commands
> \? for help on internal slash commands
> \g or terminate with semicolon to execute query
> \q to quit
>
> test=>
>
> Why this access is allowed ?
> How to secure accesses to databases ?
Have that "unauthorized" user try a SELECT and see what happens. They
are allowed to connect, but not to retrieve any records.
--
Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
Linux. The choice of a GNU Generation. <http://www.linux.org/>