From owner-freebsd-questions@FreeBSD.ORG Fri Sep 12 13:59:32 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 573E916A4BF for ; Fri, 12 Sep 2003 13:59:32 -0700 (PDT) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DDC143FD7 for ; Fri, 12 Sep 2003 13:59:31 -0700 (PDT) (envelope-from kirk@strauser.com) Received: from pooh.strauser.com (pooh.honeypot.net [10.0.5.128]) by kanga.honeypot.net (8.12.9/8.12.9) with ESMTP id h8CKxT1T003142 for ; Fri, 12 Sep 2003 15:59:29 -0500 (CDT) (envelope-from kirk@strauser.com) To: freebsd-questions@freebsd.org From: Kirk Strauser Date: Fri, 12 Sep 2003 15:59:25 -0500 Message-ID: <87r82lbu4y.fsf@strauser.com> Lines: 40 X-Mailer: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Subject: Trying to secure PostgreSQL X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2003 20:59:32 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable I'm running PostgreSQL 7.3 on a FreeBSD 5.1 server. The databases are working well and it's humming along nicely, but I really want to secure it. In particular, my pg_hba.conf looks like: local all pgsql trust host all all 127.0.0.1 255.255.255.255 md5 host all all 10.0.5.16 255.255.255.255 md5 This isn't very good. Any user connecting to the machine via the network is authenticated as expected, but local connections slide in without protection. The biggest problem with this comes with running phpPgAdmin. Since it runs under Apache on the same server, it uses a local connection to the database. That means that Joe User can type Username: pgsql Password: and have full read/write access to all of my databases. This is not good. The alternative seems to be re-writing the first line of pg_hba.conf as local all all md5 That works decently, *except* that I have to enter the password for `pgsql' before the database startup. I've Googled for the answer, but there seems to be a tremendous amount of chaff with the wheat. I know other admins have dealt with this; how did you handle it? Is there an important document I'm missing somewhere? =2D-=20 Kirk Strauser "94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box." --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/YjOx5sRg+Y0CpvERAhreAJ4zQGqsJFFTYA71sXlpsYW7TUyajACfVwqW QtgOy7yABvrzrfiJpkZfQWs= =uM9J -----END PGP SIGNATURE----- --=-=-=--