Date: Fri, 12 Sep 2003 15:59:25 -0500 From: Kirk Strauser <kirk@strauser.com> To: freebsd-questions@freebsd.org Subject: Trying to secure PostgreSQL Message-ID: <87r82lbu4y.fsf@strauser.com>
next in thread | raw e-mail | index | archive | help
--=-=-= Content-Transfer-Encoding: quoted-printable I'm running PostgreSQL 7.3 on a FreeBSD 5.1 server. The databases are working well and it's humming along nicely, but I really want to secure it. In particular, my pg_hba.conf looks like: local all pgsql trust host all all 127.0.0.1 255.255.255.255 md5 host all all 10.0.5.16 255.255.255.255 md5 This isn't very good. Any user connecting to the machine via the network is authenticated as expected, but local connections slide in without protection. The biggest problem with this comes with running phpPgAdmin. Since it runs under Apache on the same server, it uses a local connection to the database. That means that Joe User can type Username: pgsql Password: <blank> and have full read/write access to all of my databases. This is not good. The alternative seems to be re-writing the first line of pg_hba.conf as local all all md5 That works decently, *except* that I have to enter the password for `pgsql' before the database startup. I've Googled for the answer, but there seems to be a tremendous amount of chaff with the wheat. I know other admins have dealt with this; how did you handle it? Is there an important document I'm missing somewhere? =2D-=20 Kirk Strauser "94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box." --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/YjOx5sRg+Y0CpvERAhreAJ4zQGqsJFFTYA71sXlpsYW7TUyajACfVwqW QtgOy7yABvrzrfiJpkZfQWs= =uM9J -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87r82lbu4y.fsf>