Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-28 Thread Jeremy Drake
On Tue, 26 Jun 2007, Andrew Dunstan wrote: Jeremy Drake wrote: 2. If you cannot tell what process is connecting on a local socket (which I suspect you cannot portably), See ident_unix() in hba.c. It might not be 100% portable but I think it's fairly close for platforms that actually

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-27 Thread Florian Pflug
Stephen Frost wrote: * Florian Pflug ([EMAIL PROTECTED]) wrote: Gregory Stark wrote: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. DBAs should be required to manually run GRANT EXECUTE ON dblink_connect(text) TO public; if

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-27 Thread Stephen Frost
* Florian Pflug ([EMAIL PROTECTED]) wrote: Stephen Frost wrote: Uh, have the admin create appropriate views. I meant letting them use it to connect to abitrary databases and hosts, not executing only predefined quries. My wording wasn't clear in that regard, though. Perhaps I wasn't clear.

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Andrew Hammond
On 6/25/07, Tom Lane [EMAIL PROTECTED] wrote: Andrew Hammond [EMAIL PROTECTED] writes: On 6/25/07, Tom Lane [EMAIL PROTECTED] wrote: The normal build process for any open-source package is ./configure make sudo make install ... now what? OK, time to read the manual ... Since they

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Tom Lane
Andrew Hammond [EMAIL PROTECTED] writes: On 6/25/07, Tom Lane [EMAIL PROTECTED] wrote: +1 on having such a discussion in the manual (someone else suggested that already IIRC). But I'm not seeing what a configure flag brings to the party. Like Andrew Sullivan said above, if we want to

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Andrew Sullivan
On Tue, Jun 26, 2007 at 03:08:59PM -0400, Tom Lane wrote: It still wouldn't make us secure by default. Not unless you propose to actually change the default. Perhaps I wasn't clear enough, but the suggestion I made (for something I actually don't care about, I hasten to add again) was that the

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Gregory Stark
Tom Lane [EMAIL PROTECTED] writes: As for inside connections, secure is still largely dependent on what your threat model is. Indeed I think closing Postgres to access based on the unix userid of the connecting user is the wrong threat model. That's basically saying you don't trust the unix

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Tom Lane
Gregory Stark [EMAIL PROTECTED] writes: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. Yeah, that is not an unreasonable change. Someone suggested it far upthread, but we seem to have gotten distracted :-( The only problem with

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Stephen Frost
* Tom Lane ([EMAIL PROTECTED]) wrote: Gregory Stark [EMAIL PROTECTED] writes: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. Yeah, that is not an unreasonable change. Someone suggested it far upthread, but we seem to have

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Gregory Stark
Tom Lane [EMAIL PROTECTED] writes: Gregory Stark [EMAIL PROTECTED] writes: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. Yeah, that is not an unreasonable change. Someone suggested it far upthread, but we seem to have gotten

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Andrew Dunstan
Tom Lane wrote: Gregory Stark [EMAIL PROTECTED] writes: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. Yeah, that is not an unreasonable change. Someone suggested it far upthread, but we seem to have gotten distracted

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Florian Pflug
Gregory Stark wrote: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. DBAs should be required to manually run GRANT EXECUTE ON dblink_connect(text) TO public; if that's what he wants. That serves the purpose of making PG secure by

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Stephen Frost
* Florian Pflug ([EMAIL PROTECTED]) wrote: Gregory Stark wrote: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. DBAs should be required to manually run GRANT EXECUTE ON dblink_connect(text) TO public; if that's what he wants.

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Jeremy Drake
On Tue, 26 Jun 2007, Tom Lane wrote: Gregory Stark [EMAIL PROTECTED] writes: All that really has to happen is that dblink should by default not be callable by any user other than Postgres. Yeah, that is not an unreasonable change. Someone suggested it far upthread, but we seem to have

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-26 Thread Andrew Dunstan
Jeremy Drake wrote: 2. If you cannot tell what process is connecting on a local socket (which I suspect you cannot portably), See ident_unix() in hba.c. It might not be 100% portable but I think it's fairly close for platforms that actually have unix sockets. cheers andrew

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Andrew Sullivan
On Sat, Jun 23, 2007 at 06:14:23PM +0200, Magnus Hagander wrote: The benefit would be that PostgreSQL would be secure by default. Which we are *not* today. To achieve the secure by default feature that you want (and I like the scare-quotes -- I agree with those that think this adds no real

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Tom Lane
Andrew Sullivan [EMAIL PROTECTED] writes: To achieve the secure by default feature that you want (and I like the scare-quotes -- I agree with those that think this adds no real security, but I think you're right to worry about the perception angle in this case), why not have a ./configure

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Andrew Sullivan
On Mon, Jun 25, 2007 at 01:31:52PM -0400, Tom Lane wrote: Why is that better than the initdb-time option we already have? Locking down options earlier rather than later is usually not a win. Like I said, I don't actually think it _is_ better. But it would solve the problem that some people

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Tom Lane
Andrew Sullivan [EMAIL PROTECTED] writes: On Mon, Jun 25, 2007 at 01:31:52PM -0400, Tom Lane wrote: Why is that better than the initdb-time option we already have? Locking down options earlier rather than later is usually not a win. Like I said, I don't actually think it _is_ better. But it

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Andrew Hammond
On 6/25/07, Tom Lane [EMAIL PROTECTED] wrote: Andrew Sullivan [EMAIL PROTECTED] writes: On Mon, Jun 25, 2007 at 01:31:52PM -0400, Tom Lane wrote: Why is that better than the initdb-time option we already have? Locking down options earlier rather than later is usually not a win. Like I said,

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-25 Thread Tom Lane
Andrew Hammond [EMAIL PROTECTED] writes: On 6/25/07, Tom Lane [EMAIL PROTECTED] wrote: The normal build process for any open-source package is ./configure make sudo make install ... now what? OK, time to read the manual ... Since they presumably don't know about initdb yet, yeah, I

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-24 Thread Tom Lane
Steve Atkins [EMAIL PROTECTED] writes: On Jun 23, 2007, at 11:03 AM, Magnus Hagander wrote: Out of curiosity, how do other databases deal with this? MySQL installs with an empty root password for access from localhost or the machines own IP address. It also installs an account with network

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-24 Thread Andrew Dunstan
Tom Lane wrote: Steve Atkins [EMAIL PROTECTED] writes: On Jun 23, 2007, at 11:03 AM, Magnus Hagander wrote: Out of curiosity, how do other databases deal with this? MySQL installs with an empty root password for access from localhost or the machines own IP address. It

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Magnus Hagander
Magnus Hagander wrote: That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a packager (or source) runs initdb, it would prompt for the postgres user password. Practically

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Andrew Dunstan
Magnus Hagander wrote: Magnus Hagander wrote: That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a packager (or source) runs initdb, it would prompt for the

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Tom Lane
Magnus Hagander [EMAIL PROTECTED] writes: Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: One thing I've thought about doing is to remove the default in initdb completely and *force* the user to choose auth type. I'll object if no one else does: this will break existing

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Magnus Hagander
Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: One thing I've thought about doing is to remove the default in initdb completely and *force* the user to choose auth type. Packagers can then just use that to set ident or whatever. and interactive users can pick trust if they really

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Tom Lane
Magnus Hagander [EMAIL PROTECTED] writes: One thing I've thought about doing is to remove the default in initdb completely and *force* the user to choose auth type. Packagers can then just use that to set ident or whatever. and interactive users can pick trust if they really need it, but it

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Magnus Hagander
Andrew Dunstan wrote: Magnus Hagander wrote: Magnus Hagander wrote: That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a packager (or source) runs

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Steve Atkins
On Jun 23, 2007, at 11:03 AM, Magnus Hagander wrote: I would also argue that trust auth is not such an evil option that we mustn't allow it to be the default. On a single-user machine it's actually perfectly sane, seeing that we don't allow TCP connections by default. Is there really such

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-23 Thread Magnus Hagander
Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: One thing I've thought about doing is to remove the default in initdb completely and *force* the user to choose auth type. I'll object if no one else does: this will break

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-22 Thread Jim Nasby
On Jun 19, 2007, at 1:27 PM, Josh Berkus wrote: I know there's issues with using ident sameuser via TCP, but what about for filesystem socket connections? Not all OSes support ident ... Solaris and OpenBSD for two, don't, because they see ident as insecure. What about the unix domain

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-22 Thread Tom Lane
Jim Nasby [EMAIL PROTECTED] writes: On Jun 19, 2007, at 1:27 PM, Josh Berkus wrote: Not all OSes support ident ... Solaris and OpenBSD for two, don't, because they see ident as insecure. What about the unix domain socket, though? AFAIK that doesn't rely on ident but some other method...

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-19 Thread Josh Berkus
Jim, I know there's issues with using ident sameuser via TCP, but what about for filesystem socket connections? Not all OSes support ident ... Solaris and OpenBSD for two, don't, because they see ident as insecure. We switched the default to trust localhost only after many, many complaints

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-18 Thread Tom Lane
Joshua D. Drake [EMAIL PROTECTED] writes: Christopher Browne wrote: That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a packager (or source) runs initdb, it would prompt

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-18 Thread Magnus Hagander
That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a packager (or source) runs initdb, it would prompt for the postgres user password. Practically every

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-18 Thread Devrim GÜNDÜZ
Hi, On Mon, 2007-06-18 at 01:58 -0400, Tom Lane wrote: Practically every existing packaging of PG tries to run initdb as a hidden, behind-the-scenes, definitely not-interactive procedure. Also, from RPM perspective: RPMs are *not* interactive, and will *never* be. So we cannot ask user a

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-18 Thread Stephen Frost
* Jeremy Drake ([EMAIL PROTECTED]) wrote: The crux of this seems to be two-fold: 1. If dblink is installed, an untrusted user could use it to gain privileges, either using trust/ident auth (you have a superuser named after the account the postmaster is runing as), or can be scripted to brute

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-18 Thread Jim Nasby
On Jun 18, 2007, at 12:58 AM, Tom Lane wrote: Joshua D. Drake [EMAIL PROTECTED] writes: Christopher Browne wrote: That won't help; that would introduce the embarrassment of having a known default password. No it wouldn't unless the packagers set it up to do that. My point is that when a

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-17 Thread Joshua D. Drake
Tom Lane wrote: Michael Fuhr [EMAIL PROTECTED] writes: A message entitled Having Fun With PostgreSQL was posted to Bugtraq today. I haven't read through the paper yet so I don't know if the author discusses security problems that need attention or if the article is more like a compilation of

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-17 Thread Christopher Browne
The world rejoiced as [EMAIL PROTECTED] (Joshua D. Drake) wrote: Tom Lane wrote: Michael Fuhr [EMAIL PROTECTED] writes: A message entitled Having Fun With PostgreSQL was posted to Bugtraq today. I haven't read through the paper yet so I don't know if the author discusses security problems

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-17 Thread Joshua D. Drake
Christopher Browne wrote: The world rejoiced as [EMAIL PROTECTED] (Joshua D. Drake) wrote: Tom Lane wrote: We've debated #1 before, and a lot of repackagers change it, but I don't really feel a strong urge to change it in the source distro. As for #2, that's not a bug, it's intended

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-17 Thread Tom Lane
Christopher Browne [EMAIL PROTECTED] writes: The world rejoiced as [EMAIL PROTECTED] (Joshua D. Drake) wrote: On #1, the fact that we allow trust as default is embarrassing. This is a case where it takes careful thought to grasp whether there is a problem or not. If all we do is to shift the

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-16 Thread Tom Lane
Michael Fuhr [EMAIL PROTECTED] writes: A message entitled Having Fun With PostgreSQL was posted to Bugtraq today. I haven't read through the paper yet so I don't know if the author discusses security problems that need attention or if the article is more like a compilation of Stupid

Re: [HACKERS] Bugtraq: Having Fun With PostgreSQL

2007-06-16 Thread Jeremy Drake
On Sat, 16 Jun 2007, Michael Fuhr wrote: A message entitled Having Fun With PostgreSQL was posted to Bugtraq today. I haven't read through the paper yet so I don't know if the author discusses security problems that need attention or if the article is more like a compilation of Stupid