Michael Fuhr <[EMAIL PROTECTED]> writes: > A message entitled "Having Fun With PostgreSQL" was posted to Bugtraq > today. I haven't read through the paper yet so I don't know if the > author discusses security problems that need attention or if the > article is more like a compilation of "Stupid PostgreSQL Tricks." > http://www.securityfocus.com/archive/1/471541/30/0/threaded
It appears he's discovered the astonishing facts that 1. The out-of-the-box authentication setup is "trust". 2. A superuser can make the database do whatever he wants (within the OS privilege limits of the postgres user). We've debated #1 before, and a lot of repackagers change it, but I don't really feel a strong urge to change it in the source distro. As for #2, that's not a bug, it's intended behavior. regards, tom lane PS: I skimmed the paper pretty fast, so it's possible I missed something interesting, but it sure looked like "what else is new?" ---------------------------(end of broadcast)--------------------------- TIP 7: You can help support the PostgreSQL project by donating at http://www.postgresql.org/about/donate