Re: Tightening the trust auth advice

Thu, 12 Jan 2023 13:46:24 -0800 

On 1/12/23 4:32 AM, Magnus Hagander wrote:
The page at https://www.postgresql.org/docs/current/auth-trust.html <https://www.postgresql.org/docs/current/auth-trust.html> goes through some length to explain why Trust is sometimes a good idea. 

Is it really though? And in particular, aren't there better choices?



This first case it lists sounds like a good case for "peer" 
authentication...and the multi-user case it lists also sounds like a goo 
use for "peer".



The case that I think "trust" is good at, which we don't list, is doing 
local development / testing of PG.



As a first step, I think we should put a <warning> box on the page 
explicitly saying that that trust, unless limited in pg_hba, will allow 
any user to become superuser which allows them to bypass all other 
security restrictions.


+1


Second, we're kind of going out of our way to recommend setting unix 
socket permissions etc -- in those cases, wouldn't it in almost every 
case just be better for the user to use "peer" auth instead of trust, 
and we should recommend them to use that instead? Is it really any less 
appropriate and/or convenient? (It was listed as appropriate back in 
2001 inĀ 6f0f5bf2fbe, but the world has changed a bit in 20+ years..)



Yeah, I think forwarding folks to the documentation on "peer" is a good 
idea here. I don't know if we want to keep any language around for 
historical context "Prior to "peer" auth, "trust" was used for this but 
on modern systems you can use "peer" instead for better security."



And finally, the sentence "It is seldom reasonable to use trust for any 
TCP/IP connections other than those from localhost (127.0.0.1)." should 
probably be amended with an ", and only reasonable for localhost if you 
trust every single user on the host"?



I'd invert it: "It is not recommended to use "trust" for any TCP/IP 
(non-local) connection. You should use "trust" with localhost 
(127.0.0.1) connections only if you trust every single user on that host."



Thoughts? I'll be happy to work up a patch if there's agreement on the 
general idea.



Reading through this, I'm not shocked there's still a good amount of 
"trust" prevalent in the wild. I agree with tightening this up.


Jonathan




Attachment:
OpenPGP_signature

Description: OpenPGP digital signature






















					Reply via email to