Received: from localhost (postgresql.org [64.49.215.8]) by postgresql.org (Postfix) with ESMTP id F09EF475D22 for ; Mon, 20 Jan 2003 00:01:40 -0500 (EST) Received: from m20.unixathome.org (m20.unixathome.org [66.11.168.227]) by postgresql.org (Postfix) with ESMTP id 40A244760D5 for ; Mon, 20 Jan 2003 00:01:18 -0500 (EST) Received: by m20.unixathome.org (Postfix, from userid 1001) id 41A6B7A1E; Mon, 20 Jan 2003 00:01:12 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by m20.unixathome.org (Postfix) with ESMTP id D92221E8E; Mon, 20 Jan 2003 00:01:12 -0500 (EST) Date: Mon, 20 Jan 2003 00:01:12 -0500 (EST) From: Dan Langille X-X-Sender: dan@m20.unixathome.org To: pgsql-hackers@postgresql.org Cc: dan@langille.org Subject: What goes into the security doc? Message-ID: <20030119234411.S76103-100000@m20.unixathome.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS new-20020517 X-Archive-Number: 200301/776 X-Sequence-Number: 34386 With reference to my post to the "PostgreSQL Password Cracker" on 2003-01-02, I've promised to write a security document for the project. Here it is, Sunday night, and I can't sleep. What better way to get there than start this task... My plan is to write this in very simple HTML. I will post the draft document on my website and post the URL here from time to time for feedback. Please make suggestions for content. So far, I will cover these items: - .pgpass (see http://developer.postgresql.org/docs/postgres/libpq-files.html) - local connections - remote connections (recommending SSL) - pg_hba (only in passing, most of that is at http://www.postgresql.org/idocs/index.php?client-authentication.html) - running the postmaster as a specific user That doesn't sound like much. Surely you can think of something else to add. Should I post this to another list for their views? OK, that's done it. I'm ready for sleep now.