Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue

Поиск
Список
Период
Сортировка
От Isaac Morland
Тема Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue
Дата
Msg-id CAMsGm5fRxYVF+0JPGLyuKK_J5Hpj9sj=ecVdZ1UEe9yN6n8e_A@mail.gmail.com
обсуждение исходный текст
Ответ на Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue  (Michael Paquier <michael@paquier.xyz>)
Ответы Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue
Список pgsql-hackers
Дерево обсуждения
On Mon, 21 Aug 2023 at 19:23, Michael Paquier <michael@paquier.xyz> wrote:

I am not sure that we need to change this historic term, TBH.  Perhaps
it would be shorter to just rip off the trust method from the tree
with a deprecation period but that's not something I'm much in favor
off either (I use it daily for my own stuff, as one example).
Another, more conservative approach may be to make it a developer-only
option and discourage more its use in the docs.

I hope we're not really considering removing the "trust" method. For testing and development purposes it's very handy — just tell the database, running in a VM, to allow all connections and just believe who they say they are from a client process running in the same or a different VM, with no production data anywhere in site and no connection to the real network.

If people are really getting confused and using it in production, then change the documentation to make it even more clear that it is a non-authenticating setting which is there specifically to bypass security in testing contexts. Ultimately, real tools have the ability to cut your arm off, and our documentation just needs to make clear which parts of Postgres are like that.

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Michael Paquier
Дата:
Сообщение: Re: should frontend tools use syncfs() ?
Следующее
От: Jacob Champion
Дата:
Сообщение: Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue