Participants
Marcel Gsteiger
Marcel Gsteiger
Stephan Szabo
Stephan Szabo
Attachments
Show all attachments
Thread Outline
#1Marcel GsteigerMarcel Gsteiger
May 30, 2001
#2Stephan SzaboStephan Szaboto Marcel Gsteiger (#1)
Jun 05, 2001
#3Marcel GsteigerMarcel Gsteigerto Stephan Szabo (#2)
Jun 06, 2001

postgres 7.1 security problem?

Started by Marcel Gsteigeralmost 25 years ago3 messagesgeneral
Jump to latest
#1Marcel Gsteiger
Marcel Gsteiger
Marcel.Gsteiger@milprog.ch

My postgres 7.1 now runs for several weeks without problems. Today I
suddenly got aware of the fact that no passwords are needed anymore to
login to any database.

Seems that the security system has been defeated on some way. pg_dumpall
-g still shows the correct users and passwords.

I don't know what went wrong here. This is a very severe situation for
me, so I would much appreciate any hint on how I could check the
security system and make it work again.

My postmaster gets started with the following command:

su -l postgres -c "/usr/local/pgsql/bin/pg_ctl -D $PGDATA -p
/usr/local/pgsql/bin/postmaster -o "-i" start >/dev/null 2>&1" <
/dev/null

Regards
--marcel

#2Stephan Szabo
Stephan Szabo
sszabo@megazone23.bigpanda.com
In reply to: Marcel Gsteiger (#1)
Re: postgres 7.1 security problem?

What does your pg_hba.conf say?

On Wed, 30 May 2001, Marcel Gsteiger wrote:

Show quoted text

My postgres 7.1 now runs for several weeks without problems. Today I
suddenly got aware of the fact that no passwords are needed anymore to
login to any database.

Seems that the security system has been defeated on some way. pg_dumpall
-g still shows the correct users and passwords.

I don't know what went wrong here. This is a very severe situation for
me, so I would much appreciate any hint on how I could check the
security system and make it work again.

My postmaster gets started with the following command:

su -l postgres -c "/usr/local/pgsql/bin/pg_ctl -D $PGDATA -p
/usr/local/pgsql/bin/postmaster -o "-i" start >/dev/null 2>&1" <
/dev/null

#3Marcel Gsteiger
Marcel Gsteiger
Marcel.Gsteiger@milprog.ch
In reply to: Stephan Szabo (#2)
Re: postgres 7.1 security problem?

My pg_hba.conf obviously says trust when it shouldn't.

Meanwhile I changed that. Sorry, I did not know that all passwords are being
ignored when one uses trust in pg_hba.conf. However, I still have to use trust
authentication for my webapps. Obviously someone broke in my database this
way. I will have to change serveral things, e.g. install users with read-only
privileges on some databases. I also use ODBC to remotely access my databases,
but this works only with plaintext password authentication, which is quite a
security risk. Maybe I will have to install CIPE or something similar to
encrypt my database connection.

Thanks for your response.
--Marcel

Stephan Szabo schrieb:

Show quoted text

What does your pg_hba.conf say?

On Wed, 30 May 2001, Marcel Gsteiger wrote:

My postgres 7.1 now runs for several weeks without problems. Today I
suddenly got aware of the fact that no passwords are needed anymore to
login to any database.

Seems that the security system has been defeated on some way. pg_dumpall
-g still shows the correct users and passwords.

I don't know what went wrong here. This is a very severe situation for
me, so I would much appreciate any hint on how I could check the
security system and make it work again.

My postmaster gets started with the following command:

su -l postgres -c "/usr/local/pgsql/bin/pg_ctl -D $PGDATA -p
/usr/local/pgsql/bin/postmaster -o "-i" start >/dev/null 2>&1" <
/dev/null

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

← Back to Topics