Re: PostgreSQL security concerns

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: PostgreSQL security concerns
Дата
Msg-id 200106041351.f54DpO208902@candle.pha.pa.us
обсуждение исходный текст
Ответ на Re: PostgreSQL security concerns  (Francesco Casadei <f_casadei@libero.it>)
Ответы Re: PostgreSQL security concerns
Список pgsql-general
Дерево обсуждения 
> The only problem I have is with createdb and dropdb. I only have two users:
> pgsql and funland (created with CREATEDB option). The relevant lines of
> pg_hba.conf are:
>
> # TYPE       DATABASE    IP_ADDRESS    MASK               AUTHTYPE  MAP
> local        template0                                    trust
> local        template1                                    trust
> local        funland                                      password  funland.pwd
>
> psql prompts for a password when pgsql and funland connect to database funland
> (as expected).
> But anyone can create or destroy the database WITHOUT supplying a password. For
> example casimiro is a UNIX user not registered in PostgreSQL. I can do:
>
> casimiro@goku.kasby> createdb -U funland funland
> CREATE DATABASE
>
> casimiro@goku.kasby> dropdb -U funland funland
> DROP DATABASE
>
> I can use -W to force a password prompt, but a malicious user will not!!

createdb/dropdb are actually controlled by template0/1, not the database
itself.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

В списке pgsql-general по дате отправления: