Tightening the trust auth advice
The page at https://www.postgresql.org/docs/current/auth-trust.html goes
through some length to explain why Trust is sometimes a good idea.
Is it really though? And in particular, aren't there better choices?
As a first step, I think we should put a <warning> box on the page
explicitly saying that that trust, unless limited in pg_hba, will allow any
user to become superuser which allows them to bypass all other security
restrictions.
Second, we're kind of going out of our way to recommend setting unix socket
permissions etc -- in those cases, wouldn't it in almost every case just be
better for the user to use "peer" auth instead of trust, and we should
recommend them to use that instead? Is it really any less appropriate
and/or convenient? (It was listed as appropriate back in 2001
in 6f0f5bf2fbe, but the world has changed a bit in 20+ years..)
And finally, the sentence "It is seldom reasonable to use trust for any
TCP/IP connections other than those from localhost (127.0.0.1)." should
probably be amended with an ", and only reasonable for localhost if you
trust every single user on the host"?
Thoughts? I'll be happy to work up a patch if there's agreement on the
general idea.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
On 1/12/23 4:32 AM, Magnus Hagander wrote:
The page at https://www.postgresql.org/docs/current/auth-trust.html
<https://www.postgresql.org/docs/current/auth-trust.html> goes through
some length to explain why Trust is sometimes a good idea.Is it really though? And in particular, aren't there better choices?
This first case it lists sounds like a good case for "peer"
authentication...and the multi-user case it lists also sounds like a goo
use for "peer".
The case that I think "trust" is good at, which we don't list, is doing
local development / testing of PG.
As a first step, I think we should put a <warning> box on the page
explicitly saying that that trust, unless limited in pg_hba, will allow
any user to become superuser which allows them to bypass all other
security restrictions.
+1
Second, we're kind of going out of our way to recommend setting unix
socket permissions etc -- in those cases, wouldn't it in almost every
case just be better for the user to use "peer" auth instead of trust,
and we should recommend them to use that instead? Is it really any less
appropriate and/or convenient? (It was listed as appropriate back in
2001 in 6f0f5bf2fbe, but the world has changed a bit in 20+ years..)
Yeah, I think forwarding folks to the documentation on "peer" is a good
idea here. I don't know if we want to keep any language around for
historical context "Prior to "peer" auth, "trust" was used for this but
on modern systems you can use "peer" instead for better security."
And finally, the sentence "It is seldom reasonable to use trust for any
TCP/IP connections other than those from localhost (127.0.0.1)." should
probably be amended with an ", and only reasonable for localhost if you
trust every single user on the host"?
I'd invert it: "It is not recommended to use "trust" for any TCP/IP
(non-local) connection. You should use "trust" with localhost
(127.0.0.1) connections only if you trust every single user on that host."
Thoughts? I'll be happy to work up a patch if there's agreement on the
general idea.
Reading through this, I'm not shocked there's still a good amount of
"trust" prevalent in the wild. I agree with tightening this up.
Jonathan