From: Guilherme B. <gu...@in...> - 2001-11-27 19:11:45
|
Debian comes with a severe configuration fault in postgresql ... in = pg_hba.conf, it uses TRUST as the default authentication method (from = localhost) ... as phpPgAdmin runs on localhost, anyone can login without = a password. There are DOZENS of sites out there running without any security! And = this is terrible! If I weren't a very nice person and simply didn't = change anything (I could, as postgres is superuser and I can log as it). Here's how to fix it (on debian, don't know if any other distribution is = affected): log in as postgres run psql check the pg_shadow table (SELECT * FROM pg_shadow;) see if everyone has a password (especially user postgres) After setting all the passwords, edit /etc/postgres/pg_hba.conf to match = the following lines: local all password host all 127.0.0.1 255.0.0.0 password Then it will require a password. Also, If you wish to block connections from the internet, add this also: host all 0.0.0.0 0.0.0.0 reject Please put this on the page or together with PhpPgAdmin's documentation. = (Search google.com with "phppgadmin local:5432" and check for yourself = ... login as postgres and type anything as password!) Thank you very much for your attention (Please be kind and reply) Guilherme Barile Infoage Web Solutions Sao Paulo - SP - Brazil |