Menu
▾
▴
Re: [ppa-users] security hole
|
From: Dan W. <kil...@us...> - 2002-04-03 20:42:35
|
This depends on how you've setup your security. The default security that is setup on postgres could cause problems in phpPgAdmin if you aren't careful. If you have setup phpPgAdmin to connect through the local connection (rather than TCP), then most likely you have a security hole. The default authentication does not require a password... it's set to "trust" if it's through the local connection, so all they need is a valid username. Which of course almost all pgsql installs have the postgres account as a superuser. There's your hole.... to fix it, you should either connect through the tcp connection (by indicating a host and switching local to false in your config.inc.php) or change your pg_hba.conf file to not use the "trust" authentication. A couple things to keep in mind: 1. In order to connect through tcp, you must start your postmaster with the -i option. 2. If you change your pg_hba.conf authentication from trust on a local connection, you will run into problems when doing a pg_dumpall. -Dan Quoting web...@lo...: > Hi, > Is there a known security hole. I seem to have a growing number of users in > my > user admin list. Some with createdb priveleges. Is the breach here? > > Thanks, > Great Tool. > > _______________________________________________ > phpPgAdmin-users mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phppgadmin-users > |
