Re: Use "samehost" by default in pg_hba.conf?
| От | Robert Haas |
|---|---|
| Тема | Re: Use "samehost" by default in pg_hba.conf? |
| Дата | |
| Msg-id | 603c8f070910010847s7941c920y21e00a021f03cdcc@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Use "samehost" by default in pg_hba.conf? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On Thu, Oct 1, 2009 at 11:35 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Stef Walter <stef-list@memberwebs.com> writes: >> Tom Lane wrote: >>> Now that the samehost/samenet patch is in, I wonder if it wouldn't be >>> a good idea to replace this part of the default pg_hba.conf file: > >> You're probably not suggesting this, but I would be against a default >> setting of 'samehost' used with 'trust'. > >> Essentially that would be the same as rlogin rsh, where if the user can >> spoof a TCP connection, he can connect to postgresql. Depending on the >> platform, an interface may have to be down for this to work. > > Is there any actual risk here that we aren't taking already just by > allowing 127.0.0.1? I wouldn't bet that there isn't. I don't really think there's any need for our default configuration to be at the mercy of every half- baked TCP/IP implementation out there. A socket file in /tmp can't be remotely hacked (well, not directly anyway); anything else is further from a sure thing. ...Robert
В списке pgsql-hackers по дате отправления: