Re: postgres 7.1 security problem?

My pg_hba.conf obviously says trust when it shouldn't.

Meanwhile I changed that. Sorry, I did not know that all passwords are being
ignored when one uses trust in pg_hba.conf. However, I still have to use trust
authentication for my webapps. Obviously someone broke in my database this
way. I will have to change serveral things, e.g. install users with read-only
privileges on some databases. I also use ODBC to remotely access my databases,
but this works only with plaintext password authentication, which is quite a
security risk. Maybe I will have to install CIPE or something similar to
encrypt my database connection.

Thanks for your response.
--Marcel

Stephan Szabo schrieb:

> What does your pg_hba.conf say?
>
> On Wed, 30 May 2001, Marcel Gsteiger wrote:
>
> > My postgres 7.1 now runs for several weeks without problems. Today I
> > suddenly got aware of the fact that no passwords are needed anymore to
> > login to any database.
> >
> > Seems that the security system has been defeated on some way. pg_dumpall
> > -g still shows the correct users and passwords.
> >
> > I don't know what went wrong here. This is a very severe situation for
> > me, so I would much appreciate any hint on how I could check the
> > security system and make it work again.
> >
> > My postmaster gets started with the following command:
> >
> >   su -l postgres -c "/usr/local/pgsql/bin/pg_ctl  -D $PGDATA -p
> > /usr/local/pgsql/bin/postmaster -o "-i" start >/dev/null 2>&1" <
> > /dev/null
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly