Re: What goes into the security doc? - Christopher Kings-Lynne

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Christopher Kings-Lynne <[email protected]>
To: Robert Treat <[email protected]>
To: Dan Langille <[email protected]>
Cc: [email protected]
Subject: Re: What goes into the security doc?
Date: Wed, 22 Jan 2003 13:29:33 +0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <1043162191.18529.11.camel@camel>

Recommend always running "initdb -W" and setting all pg_hba entries to md5.

Chris


> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Robert Treat
> Sent: Tuesday, 21 January 2003 11:17 PM
> To: Dan Langille
> Cc: [email protected]
> Subject: Re: [HACKERS] What goes into the security doc?
>
>
> I'm not sure how adequately these topics are covered elsewhere, but you
> should probably provide at least a pointer if not improved information:
>
> * Should have a mention of the pgcrypto code in contrib.
>
> * Brain hiccup, but isn't there some type of "password" datatype
>
> * Explanation of problems/solutions of using md5 passwords inside
> postgresql. this has tripped up a lot of people upgrading to 7.3
>
> * possibly go into server resource issues and the pitfalls in giving
> free form sql access to just anyone. (Think unconstrained join on all
> tables in a database)
>
> hth,
>
> Robert Treat
>
> On Mon, 2003-01-20 at 00:01, Dan Langille wrote:
> > With reference to my post to the "PostgreSQL Password Cracker" on
> > 2003-01-02, I've promised to write a security document for the project.
> > Here it is, Sunday night, and I can't sleep.  What better way
> to get there
> > than start this task...
> >
> > My plan is to write this in very simple HTML.  I will post the draft
> > document on my website and post the URL here from time to time for
> > feedback. Please make suggestions for content.  So far, I will
> cover these
> > items:
> >
> > - .pgpass (see
> > http://developer.postgresql.org/docs/postgres/libpq-files.html)
> > - local connections
> > - remote connections (recommending SSL)
> > - pg_hba (only in passing, most of that is at
> > http://www.postgresql.org/idocs/index.php?client-authentication.html)
> > - running the postmaster as a specific user
> >
> > That doesn't sound like much.  Surely you can think of something else to
> > add.  Should I post this to another list for their views?
> >
> > OK, that's done it.  I'm ready for sleep now.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>

view thread (20+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: What goes into the security doc?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox