| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens |
| Date: | 2001-11-28 05:35:17 |
| Message-ID: | 200111280535.fAS5ZHX19823@candle.pha.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au> writes:
> > This came across the phpPgAdmin list, and I'm reposting it here in case it
> > is actually true...? If it is, is it a Postgres or a Debian package issue?
>
> The default installation is indeed insecure with respect to other local
> users; you don't want to use TRUST auth method on a multi-user box. We
> need to document that more prominently. But the default install is not
> insecure w.r.t. to outside connections, because it doesn't allow any.
> In particular, this advice is horsepucky:
Let me tell you what bothers me about our default install. If some
software installed all its data files in a world-writable directory, we
would consider it a security hole. But because we are Internet-enabled,
and because our insecurity is only local, it seems OK to people.
I am not sure about a solution, but I am shocked we haven't been beaten
up about this more often.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-11-28 05:36:20 | Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results |
| Previous Message | Bruce Momjian | 2001-11-28 05:29:30 | Re: Call for platform testing |