From: | William Edwards <wedwards(at)cyberfusion(dot)nl> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: Sample pg_hba.conf allows local users to access all databases |
Date: | 2023-08-02 08:08:56 |
Message-ID: | 54edc22f9addec5fcb8ea8190274cf06@cyberfusion.nl |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi David,
David G. Johnston schreef op 2023-08-01 19:35:
> On Tue, Aug 1, 2023 at 10:13 AM William Edwards
> <wedwards(at)cyberfusion(dot)nl> wrote:
>
>> This allows all local users connecting over TCP to access all
>> databases,
>> not only the databases that the user is a member of as one might
>> expect.
>>
>> Proof that user is able to access database that it is not a member
>> of is
>> below.
>
> Roles do not gain membership in databases.
I mixed up \du and \l output (the latter has a 'Member of' column)
because I used identical names for some roles and databases. Sorry for
the confusion.
> Roles can be granted
> permissions on databases (mainly CONNECT). And all roles, via PUBLIC,
> get connect privileges on all databases by default. So the
> pg_hba.conf entry is not causing something to happen against the
> wishes of the privileges system.
>
> https://www.postgresql.org/docs/current/ddl-priv.html
>
> And yes, this is a usability vs secure-by-default that hasn't seen
> enough complaint to take on changing the default.
Understood - records in pg_hba.conf limit access preemptively during
client authentication and do not control privileges.
For completeness' sake: from what I understand, with default privileges,
this does allow users to manipulate and read objects in any 'public'
schema pre PostgreSQL 15.x
(https://www.postgresql.org/docs/15/release-15.html E.4.2).
>
> David J.
Met vriendelijke groeten,
William Edwards
From | Date | Subject | |
---|---|---|---|
Next Message | marco.ptz | 2023-08-02 14:31:12 | Different releases in the same server |
Previous Message | Amn Ojee Uw | 2023-08-01 22:40:03 | Re: error: connection to server on socket... |