Re: What goes into the security doc?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Robert Treat <[email protected]>
To: Dan Langille <[email protected]>
Cc: [email protected]
Subject: Re: What goes into the security doc?
Date: 21 Jan 2003 10:16:31 -0500
Message-ID: <1043162191.18529.11.camel@camel> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

I'm not sure how adequately these topics are covered elsewhere, but you
should probably provide at least a pointer if not improved information:

* Should have a mention of the pgcrypto code in contrib.

* Brain hiccup, but isn't there some type of "password" datatype

* Explanation of problems/solutions of using md5 passwords inside
postgresql. this has tripped up a lot of people upgrading to 7.3 

* possibly go into server resource issues and the pitfalls in giving
free form sql access to just anyone. (Think unconstrained join on all
tables in a database)

hth,

Robert Treat

On Mon, 2003-01-20 at 00:01, Dan Langille wrote:
> With reference to my post to the "PostgreSQL Password Cracker" on
> 2003-01-02, I've promised to write a security document for the project.
> Here it is, Sunday night, and I can't sleep.  What better way to get there
> than start this task...
> 
> My plan is to write this in very simple HTML.  I will post the draft
> document on my website and post the URL here from time to time for
> feedback. Please make suggestions for content.  So far, I will cover these
> items:
> 
> - .pgpass (see
> http://developer.postgresql.org/docs/postgres/libpq-files.html)
> - local connections
> - remote connections (recommending SSL)
> - pg_hba (only in passing, most of that is at
> http://www.postgresql.org/idocs/index.php?client-authentication.html)
> - running the postmaster as a specific user
> 
> That doesn't sound like much.  Surely you can think of something else to
> add.  Should I post this to another list for their views?
> 
> OK, that's done it.  I'm ready for sleep now.

view thread (20+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: What goes into the security doc?
  In-Reply-To: <1043162191.18529.11.camel@camel>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox