Re: Tightening the trust auth advice

From: "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>
To: Magnus Hagander <magnus(at)hagander(dot)net>, Pg Docs <pgsql-docs(at)lists(dot)postgresql(dot)org>
Subject: Re: Tightening the trust auth advice
Date: 2023-01-12 21:46:02
Message-ID: 37a6a45c-ee93-041d-664e-12399a021ac6@postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-docs

On 1/12/23 4:32 AM, Magnus Hagander wrote:
> The page at https://www.postgresql.org/docs/current/auth-trust.html
> <https://www.postgresql.org/docs/current/auth-trust.html> goes through
> some length to explain why Trust is sometimes a good idea.
>
> Is it really though? And in particular, aren't there better choices?

This first case it lists sounds like a good case for "peer"
authentication...and the multi-user case it lists also sounds like a goo
use for "peer".

The case that I think "trust" is good at, which we don't list, is doing
local development / testing of PG.

> As a first step, I think we should put a <warning> box on the page
> explicitly saying that that trust, unless limited in pg_hba, will allow
> any user to become superuser which allows them to bypass all other
> security restrictions.

+1

> Second, we're kind of going out of our way to recommend setting unix
> socket permissions etc -- in those cases, wouldn't it in almost every
> case just be better for the user to use "peer" auth instead of trust,
> and we should recommend them to use that instead? Is it really any less
> appropriate and/or convenient? (It was listed as appropriate back in
> 2001 in 6f0f5bf2fbe, but the world has changed a bit in 20+ years..)

Yeah, I think forwarding folks to the documentation on "peer" is a good
idea here. I don't know if we want to keep any language around for
historical context "Prior to "peer" auth, "trust" was used for this but
on modern systems you can use "peer" instead for better security."

> And finally, the sentence "It is seldom reasonable to use trust for any
> TCP/IP connections other than those from localhost (127.0.0.1)." should
> probably be amended with an ", and only reasonable for localhost if you
> trust every single user on the host"?

I'd invert it: "It is not recommended to use "trust" for any TCP/IP
(non-local) connection. You should use "trust" with localhost
(127.0.0.1) connections only if you trust every single user on that host."

> Thoughts? I'll be happy to work up a patch if there's agreement on the
> general idea.

Reading through this, I'm not shocked there's still a good amount of
"trust" prevalent in the wild. I agree with tightening this up.

Jonathan

In response to

Browse pgsql-docs by date

  From Date Subject
Next Message Corey Huinker 2023-01-13 22:07:17 Adding visual clues that accesskey exists
Previous Message PG Doc comments form 2023-01-12 16:15:10 Background worker