Quick Links

Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	"Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au>
Cc:	"Hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
Date:	2001-11-28 04:31:33
Message-ID:	796.1006921893@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

"Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au> writes:
> This came across the phpPgAdmin list, and I'm reposting it here in case it
> is actually true...? If it is, is it a Postgres or a Debian package issue?

The default installation is indeed insecure with respect to other local
users; you don't want to use TRUST auth method on a multi-user box. We
need to document that more prominently. But the default install is not
insecure w.r.t. to outside connections, because it doesn't allow any.
In particular, this advice is horsepucky:

> Also, If you wish to block connections from the internet, add this also:
> host all 0.0.0.0 0.0.0.0 reject

because that will happen anyway.

regards, tom lane

In response to

FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone! at 2001-11-28 01:31:22 from Christopher Kings-Lynne

Responses

Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens at 2001-11-28 05:35:17 from Bruce Momjian

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Thomas Lockhart	2001-11-28 05:01:08	Call for platform testing
Previous Message	Tom Lane	2001-11-28 04:27:37	Re: Possible bug in new VACUUM code