Received: from localhost (postgresql.org [64.49.215.8]) by postgresql.org (Postfix) with ESMTP id 039E1475FBF for ; Wed, 22 Jan 2003 00:29:28 -0500 (EST) Received: from houston.familyhealth.com.au (unknown [203.59.48.253]) by postgresql.org (Postfix) with ESMTP id 039F8475EBB for ; Wed, 22 Jan 2003 00:29:25 -0500 (EST) Received: (from root@localhost) by houston.familyhealth.com.au (8.11.6/8.11.6) id h0M5TRb16208 for pgsql-hackers@postgresql.org; Wed, 22 Jan 2003 13:29:27 +0800 (WST) (envelope-from chriskl@familyhealth.com.au) Received: from mariner (mariner.internal [192.168.0.101]) by houston.familyhealth.com.au (8.11.6/8.9.3) with SMTP id h0M5TOF16074; Wed, 22 Jan 2003 13:29:24 +0800 (WST) From: "Christopher Kings-Lynne" To: "Robert Treat" , "Dan Langille" Cc: Subject: Re: What goes into the security doc? Date: Wed, 22 Jan 2003 13:29:33 +0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <1043162191.18529.11.camel@camel> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-scanner: scanned by Inflex 0.1.5c - (http://www.inflex.co.za/) X-Virus-Scanned: by AMaViS new-20020517 X-Archive-Number: 200301/813 X-Sequence-Number: 34423 Recommend always running "initdb -W" and setting all pg_hba entries to md5. Chris > -----Original Message----- > From: pgsql-hackers-owner@postgresql.org > [mailto:pgsql-hackers-owner@postgresql.org]On Behalf Of Robert Treat > Sent: Tuesday, 21 January 2003 11:17 PM > To: Dan Langille > Cc: pgsql-hackers@postgresql.org > Subject: Re: [HACKERS] What goes into the security doc? > > > I'm not sure how adequately these topics are covered elsewhere, but you > should probably provide at least a pointer if not improved information: > > * Should have a mention of the pgcrypto code in contrib. > > * Brain hiccup, but isn't there some type of "password" datatype > > * Explanation of problems/solutions of using md5 passwords inside > postgresql. this has tripped up a lot of people upgrading to 7.3 > > * possibly go into server resource issues and the pitfalls in giving > free form sql access to just anyone. (Think unconstrained join on all > tables in a database) > > hth, > > Robert Treat > > On Mon, 2003-01-20 at 00:01, Dan Langille wrote: > > With reference to my post to the "PostgreSQL Password Cracker" on > > 2003-01-02, I've promised to write a security document for the project. > > Here it is, Sunday night, and I can't sleep. What better way > to get there > > than start this task... > > > > My plan is to write this in very simple HTML. I will post the draft > > document on my website and post the URL here from time to time for > > feedback. Please make suggestions for content. So far, I will > cover these > > items: > > > > - .pgpass (see > > http://developer.postgresql.org/docs/postgres/libpq-files.html) > > - local connections > > - remote connections (recommending SSL) > > - pg_hba (only in passing, most of that is at > > http://www.postgresql.org/idocs/index.php?client-authentication.html) > > - running the postmaster as a specific user > > > > That doesn't sound like much. Surely you can think of something else to > > add. Should I post this to another list for their views? > > > > OK, that's done it. I'm ready for sleep now. > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html >