On 05/18/2015 11:36 AM, Jim Nasby wrote:
On 5/17/15 10:58 PM, Josh Berkus wrote:
The goal here was stated to preventing authentication misconfiguration
by shortsighted admins who have superuser access and the ability to
change pg_hba.conf. This is tantamount to giving someone a gun and
bullets, but expecting duct tape across the cartridge slot to prevent
them from loading or using the gun.
The idea is to prevent *accidental* misconfiguration, not to try and
permanently lock them out. IE: make them think before allowing them to
just do something silly. Disabling auth methods at compile time seems
a very reasonable way to accomplish that.
It's not more secure or more useful if it increases substantially the
difficulty and disruption of recovering from misconfiguration, whether
accidental or not. Disabling both trust and peer would do just that,
without significantly impeding malicious users.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
