Обсуждение: Security - local(TRUST) and php/perl access
Currently we TRUST local users so pretty much any user can access any database from the shell. When PHP or Perl(DBI) accesses the postgres database, can they simply specify any userid and database set as a local user would, or are they restricted to the "host sameuser 0.0.0.0 0.0.0.0 password" setting in pg_hba.conf Dave
Dave, > Currently we TRUST local users so pretty much any user can access any > database > from the shell. > When PHP or Perl(DBI) accesses the postgres database, can they simply > specify > any userid and database set as a local user would, or are they > restricted to the > "host sameuser 0.0.0.0 0.0.0.0 password" setting in pg_hba.conf Anything running on the same machine, whether a shell, PHP, or Perl, is covered by the "trust" statement, unless you make the mistake of routing your connection through an external interface. However, I strongly reccommend against using "trust" on any public web server. -Josh Berkus
>Anything running on the same machine, whether a shell, PHP, or Perl, is >covered by the "trust" statement, unless you make the mistake of >routing your connection through an external interface. this is what I was afraid of >However, I strongly reccommend against using "trust" on any public web >server. agreed, thus my concern... it appears however that if everything is set to password (or better) that postgres doesn't start on reboot. the startup script reads case $1 in start) [ -d /usr/local/pgsql/lib ] && /sbin/ldconfig -m /usr/local/pgsql/lib [ -x /usr/local/pgsql/bin/pg_ctl ] && { su -l pgsql -c \ 'exec /usr/local/pgsql/bin/pg_ctl -w start > /usr/local/pgsql/errlog echo -n ' pgsql' } ;; essentially what happens is that the startup waits for the password to be entered, and as such that and any following services in the local/rc directory are never started... it times out after a time (if memory serves). workaround without security ramifications? Dave