| From: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
|---|---|
| To: | Meirav Rath <meirav(dot)rath(at)imperva(dot)com> |
| Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, "pgsql-bugs\(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #15035: scram-sha-256 blocks all logins |
| Date: | 2018-01-30 18:32:31 |
| Message-ID: | 87lggftdaq.fsf@news-spur.riddles.org.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
>>>>> "Meirav" == Meirav Rath <meirav(dot)rath(at)imperva(dot)com> writes:
Meirav> host all postgres 0.0.0.0/0 trust
Never do this. (If you need non-password access for the postgres user,
then use "local all postgres peer", or a certificate-based method, or at
the _very least_ limit it to trusted IP addresses.)
Someone who can connect as the postgres user can load code into the
database remotely and run it, in addition to being able to see or modify
all your data. People _do_ get exploited this way (we see instances of
it reported on the IRC channel every once in a while); they find
themselves running DDoS bots or cryptocurrency miners or whatever else.
--
Andrew (irc:RhodiumToad)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Todd A. Cook | 2018-01-30 18:57:44 | Re: BUG #14932: SELECT DISTINCT val FROM table gets stuck in an infinite loop |
| Previous Message | David G. Johnston | 2018-01-30 17:44:24 | Re: BUG #15035: scram-sha-256 blocks all logins |