Peter Eisentraut wrote:
> Magnus Hagander wrote:
> > This one makes it mandatory to pick some kind of authentication. If
> > that's not wanted, it's easy to change it to default to trust (which
> > I think is wrong, but we've been through that already..)
> I don't think I like any of this.  Sooner rather than later, people need 
> to look at pg_hba.conf and think about it.  I don't like switches that 
> induce them to skip that step.  And I certainly don't like forcing 
> extra switches on users that just try out an installation locally.
> I would be in favor of making everything supertight and secure by 
> default, no questions asked.  The is a definable goal.  But as long as 
> there is no agreement on that, let's not create illusions in that 
> direction while inconveniencing a bunch of people for little gain.

I think the basic problem is that right now there is no way to do an
initdb and have it be secure _before_ you edit pg_hba.conf.  That isn't
acceptable.  If I am on an insecure machine, the window if time between
initdb and editing of pg_hba.conf is pretty bad.  I could edit
pg_hba.conf.sample, but then I am editing a sample file.

I think Magnus's patch takes us closer to secure.  I do agree that by
default we shouldn't require any flag and install unsecure and issue a

  Bruce Momjian                        |
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Reply via email to