Hi,
David Fetter wrote:
I'm all for something, and that's a much better something. What we
have now--nothing--actively distresses newbies for no good reason.
I don't know how many people we've lost right at that point, but the
number has to be high, as most people don't just hop into IRC with
their problem.
Maybe something much more specific, i.e. triggering only if one tried to
connect via localhost or unix sockets, and only if one tried to
authenticate as 'root' without a password.
The hint shoud IMO say something like: "The default superuser is
postgres, not root". Something that's useful for this specific case and
doesn't disturb in others. And something that's public knowledge, which
any reasonably serious attacker already knows anyway.
Maybe also point out that the unix user is chosen by default. Assuming
that most of these users didn't explicitly type 'root' and are wondering
where that 'root' user came from.
Regards
Markus Wanner
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
