Received: from localhost (postgresql.org [64.49.215.8]) by postgresql.org (Postfix) with ESMTP id BDB7B475458 for ; Tue, 21 Jan 2003 10:16:52 -0500 (EST) Received: from localhost.localdomain (unknown [65.217.53.66]) by postgresql.org (Postfix) with ESMTP id B0C5B476689 for ; Tue, 21 Jan 2003 10:16:50 -0500 (EST) Received: from thorn.mmrd.com (thorn.mmrd.com [172.25.10.100]) by localhost.localdomain (8.12.5/8.12.5) with ESMTP id h0LFad6P015535; Tue, 21 Jan 2003 10:36:41 -0500 Received: from gnvex001.mmrd.com (gnvex001.mmrd.com [192.168.3.55]) by thorn.mmrd.com (8.11.6/8.11.6) with ESMTP id h0LFGVj07470; Tue, 21 Jan 2003 10:16:32 -0500 Received: from camel.mmrd.com ([172.25.5.213]) by gnvex001.mmrd.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id CWVLBWN0; Tue, 21 Jan 2003 10:16:31 -0500 Subject: Re: What goes into the security doc? From: Robert Treat To: Dan Langille Cc: pgsql-hackers@postgresql.org In-Reply-To: <20030119234411.S76103-100000@m20.unixathome.org> References: <20030119234411.S76103-100000@m20.unixathome.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 21 Jan 2003 10:16:31 -0500 Message-Id: <1043162191.18529.11.camel@camel> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS new-20020517 X-Archive-Number: 200301/796 X-Sequence-Number: 34406 I'm not sure how adequately these topics are covered elsewhere, but you should probably provide at least a pointer if not improved information: * Should have a mention of the pgcrypto code in contrib. * Brain hiccup, but isn't there some type of "password" datatype * Explanation of problems/solutions of using md5 passwords inside postgresql. this has tripped up a lot of people upgrading to 7.3 * possibly go into server resource issues and the pitfalls in giving free form sql access to just anyone. (Think unconstrained join on all tables in a database) hth, Robert Treat On Mon, 2003-01-20 at 00:01, Dan Langille wrote: > With reference to my post to the "PostgreSQL Password Cracker" on > 2003-01-02, I've promised to write a security document for the project. > Here it is, Sunday night, and I can't sleep. What better way to get there > than start this task... > > My plan is to write this in very simple HTML. I will post the draft > document on my website and post the URL here from time to time for > feedback. Please make suggestions for content. So far, I will cover these > items: > > - .pgpass (see > http://developer.postgresql.org/docs/postgres/libpq-files.html) > - local connections > - remote connections (recommending SSL) > - pg_hba (only in passing, most of that is at > http://www.postgresql.org/idocs/index.php?client-authentication.html) > - running the postmaster as a specific user > > That doesn't sound like much. Surely you can think of something else to > add. Should I post this to another list for their views? > > OK, that's done it. I'm ready for sleep now.