From owner-freebsd-database  Wed Sep 29  0:46:23 1999
Delivered-To: freebsd-database@freebsd.org
Received: from smtp04.wxs.nl (smtp04.wxs.nl [195.121.6.59])
	by hub.freebsd.org (Postfix) with ESMTP id 44F3B14D1A
	for <database@freebsd.org>; Wed, 29 Sep 1999 00:45:51 -0700 (PDT)
	(envelope-from asmodai@wxs.nl)
Received: from daemon.ninth-circle.org ([195.121.197.159]) by smtp04.wxs.nl
          (Netscape Messaging Server 3.61)  with ESMTP id AAB5F1D;
          Wed, 29 Sep 1999 09:45:49 +0200
Received: (from asmodai@localhost)
	by daemon.ninth-circle.org (8.9.3/8.9.3) id JAA38954;
	Wed, 29 Sep 1999 09:46:30 +0200 (CEST)
	(envelope-from asmodai)
Date: Wed, 29 Sep 1999 09:46:30 +0200
From: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: database@freebsd.org
Subject: Re: Postgres -- ancillary data to authenticate?
Message-ID: <19990929094630.E38679@daemon.ninth-circle.org>
References: <Pine.BSF.3.96.990928191546.9562A-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <Pine.BSF.3.96.990928191546.9562A-100000@fledge.watson.org>
Organisation: Ninth-Circle Enterprises
Sender: owner-freebsd-database@FreeBSD.ORG
Precedence: bulk

On [19990929 03:17], Robert Watson (robert@cyrus.watson.org) wrote:
>
>I have a postgresql database set up on a server, and was upset when I
>discovered that psql -u allows authentication to the database as any other
>user without a password, as the default configuration is to trust all
>local connections.  I was wondering if anyone knew of patches (or better
>yet, it being supported built-in) to use the sendmsg ancilary data to pass
>uids/gids and authentication the UNIX domain socket, or a setuid/gid/etc
>binary of psql that is trusuted to gather the info, etc.  Similarly,
>whether anyone knew about support for PAM, BSD-style.

Ehm, you missed the obvious:

/usr/local/pgsql/lib/pg_hba.conf.sample

which you need to copy to:

/usr/local/pgsql/lib/pg_hba.conf

and which controls access.

>My feeling is there should be a big warning label somewhere obvious saying
>"BY DEFAULT ALL USERS ON THE DATABASE SERVER HAVE FULL ACCESS TO ALL
>DATABASES" :-). 
>
>  Robert N M Watson 

*grin*

yeah, RTFM Robert ;)

But seriously, this was all discussed in the manuals for installation
IIRC.

And there's always the SQL GRANT command plus database access
restriction. There are options. You just missed a lot of ways to do
them.

HTH a bit,

-- 
Jeroen Ruigrok van der Werven/Asmodai                  asmodai(at)wxs.nl
The BSD Programmer's Documentation Project <http://home.wxs.nl/~asmodai>
Network/Security Specialist        BSD: Technical excellence at its best
Millions for defence but not one cent for tribute.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-database" in the body of the message