[ADMIN] pg security problem (fwd)

Wed, 22 Mar 2000 12:52:40 -0800 

Folks-

I'm a bit concerned about postgres security. Here's the situation. I've
got the following in pg_hba.conf:

local        all                                         trust  sameuser
local        all                                         trust  pgwww
host         all         127.0.0.1     255.255.255.255   trust  pgwww
host         all         127.0.0.1     255.255.255.255   trust  sameuser
host         all         128.32.93.0   255.255.255.128   trust  sameuser
host         all         0.0.0.0       0.0.0.0           password

I take this to mean that a user on the local machine should be
authenticated without a password as long as the username they are using in
pg is the same as their login name.  That is, say, if aperrin issues psql
demogdata, he should be granted aperrin's permissions on the database, but
if he does psql -u demogdata and becomes a different user, he should have
to issue the right password to gain access, right?

Well, that's not what's happening. In the transcript below, I am logged
into the computer as nttest, a user with no postgres permissions. The
first try, I issued the right password for aperrin; the second try, I
issued the wrong password.  Both times, I was allowed to insert rows into
a table.  Why?

nttest@davis ~> whoami
nttest 
nttest@davis ~> /opt/pgsql/bin/psql -u demogdata
Username: aperrin
Password: 

Welcome to the POSTGRESQL interactive sql monitor:
  Please read the file COPYRIGHT for copyright terms of POSTGRESQL
[PostgreSQL 6.5.0 on sparc-sun-solaris2.6, compiled by /usr/local/bin/gcc
]

   type \? for help on slash commands
   type \q to quit
   type \g or terminate with semicolon to execute query
 You are currently connected to the database: demogdata

demogdata=> insert into personal_data (last_name) values ('perrin');
INSERT 964512 1
demogdata=> \q
nttest@davis ~> /opt/pgsql/bin/psql -u demogdata
Username: aperrin
Password: 

Welcome to the POSTGRESQL interactive sql monitor:
  Please read the file COPYRIGHT for copyright terms of POSTGRESQL
[PostgreSQL 6.5.0 on sparc-sun-solaris2.6, compiled by /usr/local/bin/gcc
]

   type \? for help on slash commands
   type \q to quit
   type \g or terminate with semicolon to execute query
 You are currently connected to the database: demogdata

demogdata=> insert into personal_data (last_name) values ('perrin');
INSERT 964544 1
demogdata=> \q


---------------------------------------------------------------------
Andrew J. Perrin - [EMAIL PROTECTED] - NT/Unix Admin/Support
Department of Demography    -    University of California at Berkeley
2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA
http://demog.berkeley.edu/~aperrin --------------------------SEIU1199

Reply via email to