From: Tansley, Robert <robert.tansley@hp...> - 2004-02-24 16:55:59
When I installed Postgres 7.4, the default security settings did seem to be a bit tighter than 7.3, though I installed from RPMs so this may be specific to the RPM package.
DSpace uses JDBC, which can only connect to the database over TCP/IP. However, it should be forced to authenticate itself using the username and password specific in /dspace/config/dspace.cfg (make sure this file is only readable by appropriate users!) Try this line for DSpace in pg_hba.conf:
host dspace dspace 127.0.0.1 255.255.255.255 md5
This means that the 'dspace' user can only connect to the 'dspace' database, and only using md5 password authentication. Your DSpace app should connect OK, provided db.username and db.password are correctly set in your dspace.cfg.
Robert Tansley / DSpace Technical Lead / Hewlett-Packard Laboratories
> The dspace installation documentation doesn't say much about
> postgresql security. I'm curious what other sites are doing
> in this regard.
> The postmaster task is normally run as user "postgres" and
> reads its configuration and data files from /var/lib/pgsql,
> which should be owned by postgres and mode 700. So far so
> good. But in addition you need to pay attention to who can
> connect to the database, and this is controlled by the file
> /var/lib/pgsql/pg_hba.conf (possibly supplemented by pg_ident.conf).
> The worst situation would be if people on other hosts could
> connect to and muck with your database. Luckily, that's
> prevented at multiple levels -- in the default postgresql
> config, and probably in your firewall. But what about other
> local users, particularly if you are using a dspace server
> that is also used for other things? And conversely, can your
> dspace user ID inappropriately access other postgresql
> databases on your server?
> It appears that in the default Postgresql configuration any
> local user can connect to any database as any user (including
> dspace). If that's the case, it's a severe security problem
> on any machine with more than one user ID.
> A setup that is slightly more secure than the default has a
> pg_hba.conf that contains:
> local all all ident sameuser
> host dspace dspace 127.0.0.1 127.0.0.1 trust
> This means that local users can connect as themselves, and in
> addition that any local user can connect as user "dspace" via
> the loopback network address. Still not good, but at least
> if you have other databases in your postgres server they
> can't get to them.
> Can anyone recommend a more secure setup? It seems that the
> dspace Java app insists on connecting using the loopback
> address rather than unix sockets, which means there doesn't
> seem to be any easy way to authenticate the dspace Java code.
> JQ Johnson Office: 115F Knight Library
> Academic Education Coordinator e-mail: jqj@...
> 1299 University of Oregon 1-541-346-1746 (v); -3485 (fax)
> Eugene, OR 97403-1299 http://darkwing.uoregon.edu/~jqj
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438> &op=click
> DSpace-tech mailing list
> https://lists.sourceforge.net/lists/listinfo/d> space-tech