Re: initdb authentication

Peter Eisentraut wrote:
> Magnus Hagander wrote:
> > This one makes it mandatory to pick some kind of authentication. If
> > that's not wanted, it's easy to change it to default to trust (which
> > I think is wrong, but we've been through that already..)
>
> I don't think I like any of this.  Sooner rather than later, people need
> to look at pg_hba.conf and think about it.  I don't like switches that
> induce them to skip that step.  And I certainly don't like forcing
> extra switches on users that just try out an installation locally.
>
> I would be in favor of making everything supertight and secure by
> default, no questions asked.  The is a definable goal.  But as long as
> there is no agreement on that, let's not create illusions in that
> direction while inconveniencing a bunch of people for little gain.

I think the basic problem is that right now there is no way to do an
initdb and have it be secure _before_ you edit pg_hba.conf.  That isn't
acceptable.  If I am on an insecure machine, the window if time between
initdb and editing of pg_hba.conf is pretty bad.  I could edit
pg_hba.conf.sample, but then I am editing a sample file.

I think Magnus's patch takes us closer to secure.  I do agree that by
default we shouldn't require any flag and install unsecure and issue a
warning.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073