#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Washington DC, USA
    Posts
    156
    Rep Power
    14

    PostgreSQL Admin - passwords?


    I just installed PostgreSQL 7.3.1 from source on RedHat 8.0. I have the system up, running and accessible from Unix sockets and TCP/IP. I can get into the system by doing the /usr/local/pgsql/bin/psql test command (as user postgres) or from my W2K box with pgAdmin2 (user: postgres and blank password) after I made changes to the pg_hba.conf file.

    My question is, how do I make the system more secure by actually requiring real passwords?

    (1) I can only get into the database from the shell by su'ing to the user postgres but it never asks for a password - is this okay?
    (2) I want to make sure that when I connect via TCP/IP from my W2K box that a password is required as well.

    Thanks for any security tips you guys might have.


    -Cliff
    Last edited by cliffyman; December 31st, 2002 at 04:04 PM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Posts
    679
    Rep Power
    19
    Hi,

    I came to this forum to post a similar question, so I will add to this thread. In reply to your first point, I can only su to postgres from root which I think is OK.
    In order to get a PHP script to connect to a database, I had to set up "wwwrun" (the user that apache runs as on my system) as a user for postgres, using the "createuser" command, then grant permissions for this user.
    But what worries me is, as you said, there is no password, so what is to stop anyone connecting to this database from a remote machine as the user "wwwrun"? I also couldn't define the host making the connection when granting permissions as you can in MySQL ( GRANT ..... TO user@localhost .....).
    So - should I set a password for wwwrun? There must be a standard way making a connection in a secure way - could someone please point me in the right direction?
    Hope this is some help to you - I found this tutorial helpful:
    http://www-it.hive.no/database/pgsql...ial/intro.html
  4. #3
  5. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    how do I make the system more secure by actually requiring real passwords
    You have to edit pg_hba.conf to setup the requirements. You also set allowed hosts there, pmm.

    I can only get into the database from the shell by su'ing to the user postgres but it never asks for a password - is this okay?
    No, it's not. Again, edit pg_hba.conf to require passwords. You will also need to give the postgres user a password with ALTER USER and be sure to give a password to any new users when using CREATE USER.

IMN logo majestic logo threadwatch logo seochat tools logo