On 2019-05-23 18:54, Peter Eisentraut wrote: > To recap, the idea here was to change the default authentication methods > that initdb sets up, in place of "trust". > > I think the ideal scenario would be to use "peer" for local and some > appropriate password method (being discussed elsewhere) for host.
Patch for that attached. > Looking through the buildfarm, I gather that the only platforms that > don't support peer are Windows, AIX, and HP-UX. Note that with this change, running initdb without arguments will now error on those platforms: You need to supply either a password or select a different default authentication method. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From 88de6f226233bb183dc75ee047501fae5051e287 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut <pe...@eisentraut.org> Date: Tue, 18 Jun 2019 22:20:23 +0200 Subject: [PATCH v1] initdb: Change authentication defaults Change the defaults for the pg_hba.conf generated by initdb to "peer" for local (if supported, else "md5") and "md5" for host. (Changing from "md5" to SCRAM is left as a separate exercise.) "peer" is currently not supported on AIX, HP-UX, and Windows. Users on those operating systems will now either have to provide a password to initdb or choose a different authentication method when running initdb. Discussion: https://www.postgresql.org/message-id/flat/bec17f0a-ddb1-8b95-5e69-368d9d0a3390%40postgresql.org --- doc/src/sgml/ref/initdb.sgml | 9 ++++++++- doc/src/sgml/runtime.sgml | 23 +++++++++------------ doc/src/sgml/standalone-install.xml | 9 --------- src/bin/initdb/initdb.c | 31 ++++++++++------------------- src/include/port.h | 5 +++++ src/test/regress/pg_regress.c | 2 +- 6 files changed, 33 insertions(+), 46 deletions(-) diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml index 7fc3152c6d..c47b9139eb 100644 --- a/doc/src/sgml/ref/initdb.sgml +++ b/doc/src/sgml/ref/initdb.sgml @@ -136,9 +136,16 @@ <title>Options</title> replication connections. </para> + <para> + The default is <literal>peer</literal> for Unix-domain socket + connections on operating systems that support it, otherwise + <literal>md5</literal>, and <literal>md5</literal> for TCP/IP + connections. + </para> + <para> Do not use <literal>trust</literal> unless you trust all local users on your - system. <literal>trust</literal> is the default for ease of installation. + system. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 365ec75aad..305698aa0e 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -156,24 +156,19 @@ <title>Creating a Database Cluster</title> </para> <para> - However, while the directory contents are secure, the default - client authentication setup allows any local user to connect to the - database and even become the database superuser. If you do not - trust other local users, we recommend you use one of + The default client authentication setup is such that users can connect over + the Unix-domain socket to the same database user name as their operating + system user names (on operating systems that support this, which are most + modern Unix-like systems, but not Windows) and otherwise with a password. + To assign a password to the initial database superuser, use one of <command>initdb</command>'s <option>-W</option>, <option>--pwprompt</option> - or <option>--pwfile</option> options to assign a password to the - database superuser.<indexterm> + or <option>--pwfile</option> options.<indexterm> <primary>password</primary> <secondary>of the superuser</secondary> </indexterm> - Also, specify <option>-A md5</option> or - <option>-A password</option> so that the default <literal>trust</literal> authentication - mode is not used; or modify the generated <filename>pg_hba.conf</filename> - file after running <command>initdb</command>, but - <emphasis>before</emphasis> you start the server for the first time. (Other - reasonable approaches include using <literal>peer</literal> authentication - or file system permissions to restrict connections. See <xref - linkend="client-authentication"/> for more information.) + This configuration is secure and sufficient to get started. Later, see + <xref linkend="client-authentication"/> for more information about setting + up client authentication. </para> <para> diff --git a/doc/src/sgml/standalone-install.xml b/doc/src/sgml/standalone-install.xml index f584789f9a..749a071061 100644 --- a/doc/src/sgml/standalone-install.xml +++ b/doc/src/sgml/standalone-install.xml @@ -63,15 +63,6 @@ <title>Getting Started</title> </para> </step> - <step> - <para> - At this point, if you did not use the <command>initdb</command> <literal>-A</literal> - option, you might want to modify <filename>pg_hba.conf</filename> to control - local access to the server before you start it. The default is to - trust all local users. - </para> - </step> - <step> <para> The previous <command>initdb</command> step should have told you how to diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index ad5cd4194a..fd69c5c95e 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -185,7 +185,6 @@ static const char *default_timezone = NULL; "# allows any local user to connect as any PostgreSQL user, including\n" \ "# the database superuser. If you do not trust all your local users,\n" \ "# use another authentication method.\n" -static bool authwarning = false; /* * Centralized knowledge of switches to pass to backend @@ -2389,16 +2388,6 @@ usage(const char *progname) printf(_("\nReport bugs to <pgsql-b...@lists.postgresql.org>.\n")); } -static void -check_authmethod_unspecified(const char **authmethod) -{ - if (*authmethod == NULL) - { - authwarning = true; - *authmethod = "trust"; - } -} - static void check_authmethod_valid(const char *authmethod, const char *const *valid_methods, const char *conntype) { @@ -3246,8 +3235,16 @@ main(int argc, char *argv[]) exit(1); } - check_authmethod_unspecified(&authmethodlocal); - check_authmethod_unspecified(&authmethodhost); + if (authmethodlocal == NULL) + { +#ifdef HAVE_AUTH_PEER + authmethodlocal = "peer"; +#else + authmethodlocal = "md5"; +#endif + } + if (authmethodhost == NULL) + authmethodhost = "md5"; check_authmethod_valid(authmethodlocal, auth_methods_local, "local"); check_authmethod_valid(authmethodhost, auth_methods_host, "host"); @@ -3330,14 +3327,6 @@ main(int argc, char *argv[]) else printf(_("\nSync to disk skipped.\nThe data directory might become corrupt if the operating system crashes.\n")); - if (authwarning) - { - printf("\n"); - pg_log_warning("enabling \"trust\" authentication for local connections"); - fprintf(stderr, _("You can change this by editing pg_hba.conf or using the option -A, or\n" - "--auth-local and --auth-host, the next time you run initdb.\n")); - } - /* * Build up a shell command to tell the user how to start the server */ diff --git a/src/include/port.h b/src/include/port.h index b5c03d912b..2536a2586c 100644 --- a/src/include/port.h +++ b/src/include/port.h @@ -361,6 +361,11 @@ extern int fls(int mask); extern int getpeereid(int sock, uid_t *uid, gid_t *gid); #endif +/* must match src/port/getpeereid.c */ +#if defined(HAVE_GETPEEREID) || defined(SO_PEERCRED) || defined(LOCAL_PEERCRED) || defined(HAVE_GETPEERUCRED) +#define HAVE_AUTH_PEER 1 +#endif + #ifndef HAVE_ISINF extern int isinf(double x); #else diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c index 7beee00dbd..7210702f06 100644 --- a/src/test/regress/pg_regress.c +++ b/src/test/regress/pg_regress.c @@ -2292,7 +2292,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc /* initdb */ header(_("initializing database system")); snprintf(buf, sizeof(buf), - "\"%s%sinitdb\" -D \"%s/data\" --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1", + "\"%s%sinitdb\" -D \"%s/data\" -A trust --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1", bindir ? bindir : "", bindir ? "/" : "", temp_instance, base-commit: aca127c105aae551620d607e88d76930e6b9a2cf -- 2.22.0
