| From: | Ian Harding <harding(dot)ian(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <mha(at)sollentuna(dot)net> |
| Cc: | tjo(at)acm(dot)org, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Oracle DB Worm Code Published |
| Date: | 2006-01-09 04:03:17 |
| Message-ID: | 725602300601082003v349c35e7l47aa9728c91f3034@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/7/06, Magnus Hagander <mha(at)sollentuna(dot)net> wrote:
> > A recent article about an Oracle worm:
> > http://www.eweek.com/article2/0,1895,1880648,00.asp
> > got me wondering.
> > Could a worm like this infect a PostgreSQL installation?
> > It seems to depend on default usernames and passwords - and
> > lazy DBAs, IMO.
> > Isn't it true that PostgreSQL doesn't have any default user/password?
>
> That's true. however, PostgreSQL ships by default with access mode set
> to "trust", which means you don't *need* a password. And I bet you'll
> find the user being either "postgres" or "pgsql" in 99+% of all
> installations.
>
> We do, however, ship with network access disabled by default. Which
> means a worm can't get to it, until you enable that. But if you enable
> network access, and don't change it from "trust" to something else (such
> as md5), then you're wide open to this kind of entry.
>
I don't think it's quite that easy. The default installs from SUSE
and other RPM I have done are set to ident sameuser for local
connections. Even if you turn on the -i flag, you can't get in
remotely since there is no pg_hba.conf record for the rest of the
world by default. You would have to add a record to pg_hba.conf.
PostgreSQL is remarkably secure out of the box compared to Brand X.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shelby Cain | 2006-01-09 04:03:47 | Re: Functions as a Security Layer |
| Previous Message | Tom Lane | 2006-01-09 03:50:46 | Re: Functions as a Security Layer |