Re: [GENERAL] Oracle DB Worm Code Published
On 1/7/06, Magnus Hagander [EMAIL PROTECTED] wrote: A recent article about an Oracle worm: http://www.eweek.com/article2/0,1895,1880648,00.asp got me wondering. Could a worm like this infect a PostgreSQL installation? It seems to depend on default usernames and passwords - and lazy DBAs, IMO. Isn't it true that PostgreSQL doesn't have any default user/password? That's true. however, PostgreSQL ships by default with access mode set to trust, which means you don't *need* a password. And I bet you'll find the user being either postgres or pgsql in 99+% of all installations. We do, however, ship with network access disabled by default. Which means a worm can't get to it, until you enable that. But if you enable network access, and don't change it from trust to something else (such as md5), then you're wide open to this kind of entry. I don't think it's quite that easy. The default installs from SUSE and other RPM I have done are set to ident sameuser for local connections. Even if you turn on the -i flag, you can't get in remotely since there is no pg_hba.conf record for the rest of the world by default. You would have to add a record to pg_hba.conf. PostgreSQL is remarkably secure out of the box compared to Brand X. ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
[GENERAL] Oracle DB Worm Code Published
A recent article about an Oracle worm: http://www.eweek.com/article2/0,1895,1880648,00.asp got me wondering. Could a worm like this infect a PostgreSQL installation? It seems to depend on default usernames and passwords - and lazy DBAs, IMO. Isn't it true that PostgreSQL doesn't have any default user/password? Is this an issue we should be concerned about, at some level? TJ O'Donnell ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] Oracle DB Worm Code Published
A recent article about an Oracle worm: http://www.eweek.com/article2/0,1895,1880648,00.asp got me wondering. Could a worm like this infect a PostgreSQL installation? It seems to depend on default usernames and passwords - and lazy DBAs, IMO. Isn't it true that PostgreSQL doesn't have any default user/password? That's true. however, PostgreSQL ships by default with access mode set to trust, which means you don't *need* a password. And I bet you'll find the user being either postgres or pgsql in 99+% of all installations. We do, however, ship with network access disabled by default. Which means a worm can't get to it, until you enable that. But if you enable network access, and don't change it from trust to something else (such as md5), then you're wide open to this kind of entry. (Just create an untrusted PL and hack away - assuming those binaries are inthere, but I bet they are in most installations) //Magnus ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] Oracle DB Worm Code Published
A recent article about an Oracle worm: http://www.eweek.com/article2/0,1895,1880648,00.asp got me wondering. Could a worm like this infect a PostgreSQL installation? It seems to depend on default usernames and passwords - and lazy DBAs, IMO. Isn't it true that PostgreSQL doesn't have any default user/password? Is this an issue we should be concerned about, at some level? PostgreSQL doesn't allow network access, by default, which more than makes up for that. -- cbbrowne,@,cbbrowne.com http://cbbrowne.com/info/slony.html ...Yet terrible as Unix addiction is, there are worse fates. If Unix is the heroin of operating systems, then VMS is barbiturate addiction, the Mac is MDMA, and MS-DOS is sniffing glue. (Windows is filling your sinuses with lucite and letting it set.) You owe the Oracle a twelve-step program. --The Usenet Oracle ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
