[PATCH] gnu: postgres service: More secure default permissions.

DoneSubmitted by Robert Vollmert.
Details
4 participants
  • Giovanni Biscuolo
  • Ludovic Courtès
  • Christopher Baines
  • Robert Vollmert
Owner
unassigned
Severity
normal
R
R
Robert Vollmert wrote on 13 Jun 2019 15:50
(address . guix-patches@gnu.org)(name . Robert Vollmert)(address . rob@vllmrt.net)
20190613135037.10645-1-rob@vllmrt.net
This changes to 'peer' authentication for local socket connections,and password-based authentication for local network connections.
* gnu/services/databases.scm (%default-postgres-hba): Changeauthentication method.--- gnu/services/databases.scm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
Toggle diff (27 lines)diff --git a/gnu/services/databases.scm b/gnu/services/databases.scmindex 7113f1f2a1..ec31489d48 100644--- a/gnu/services/databases.scm+++ b/gnu/services/databases.scm@@ -5,6 +5,7 @@ ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net> ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu>+;;; Copyright © 2019 Robert Vollmert <rob@vllmrt.net> ;;; ;;; This file is part of GNU Guix. ;;;@@ -91,9 +92,9 @@ (define %default-postgres-hba (plain-file "pg_hba.conf" "-local all all trust-host all all 127.0.0.1/32 trust-host all all ::1/128 trust"))+local all all peer+host all all 127.0.0.1/32 md5+host all all ::1/128 md5")) (define %default-postgres-ident (plain-file "pg_ident.conf"-- 2.20.1 (Apple Git-117)
L
L
Ludovic Courtès wrote on 25 Jun 2019 17:40
(name . Robert Vollmert)(address . rob@vllmrt.net)
874l4dlll0.fsf@gnu.org
Hello,
Robert Vollmert <rob@vllmrt.net> skribis:
Toggle quote (6 lines)> This changes to 'peer' authentication for local socket connections,> and password-based authentication for local network connections.>> * gnu/services/databases.scm (%default-postgres-hba): Change> authentication method.
That sounds reasonable to me. Chris, WDYT?
Thanks,Ludo’.
G
G
Giovanni Biscuolo wrote on 26 Jun 2019 08:37
(address . 36191@debbugs.gnu.org)
87zhm44ztw.fsf@roquette.mug.biscuolo.net
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (10 lines)> Robert Vollmert <rob@vllmrt.net> skribis:>>> This changes to 'peer' authentication for local socket connections,>> and password-based authentication for local network connections.>>>> * gnu/services/databases.scm (%default-postgres-hba): Change>> authentication method.>> That sounds reasonable to me. Chris, WDYT?
It's very reasonable to have such default auth methods for PostgresSQL:we should apply this patch
Thanks Robert!
[...]
-- Giovanni Biscuolo
Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl0TEpwACgkQ030Op87MORIcQQ/9HtBhBrQfa1FqdyPnpFAOOx4DHxY2U8KqwAZaZZBtHKiRPSjSwDukhvGhqzGDXGZSrNugRnrpmF+d6KEaG5lw4IGDXx0Ce+batSBr/Ucguoa4yDoaDNCYmE3Rh0CYNLjCQLVkyBPUvV9CZS7ON/G826Bx8m14E0mA0yFjxHQkH1BkmA/2Pd/K/377ROqWIJyT4q1ZpcvakK2ymFv9f4l6BlclwvQeAYhyGwDWAGSVb5x/fDC4yMv0TvgKM8KJxPXkhgPcJef6P5fuVJFwbSGMAkjhkq90rryVBB+OtsyLGkekuq5WZZSiHZ1JisTkIKdUPs8NSTtiH2mC40sT61U7rSgvBoAlaDytO7gCDIEYa4FfLGT9DEWZO5sbByLe68BWh8IQc2vpgnIwfsybgNKKi7WnIkmfx2/+7oYvRzWC3rKE7DTEGlC5ClMRTZGBRqe0C4zG41NrKPJDUGni7W83j3tf9iKx69BYgc5791mJkN+F3Gtoyz4YmTiqpV9F2TebXXa2/R6eCPNvjUPsojGLFmb3wCQoxVyxkbOCBbtFHlN/iABALWNtwlnv1rol4pax5asK9QdUl+P+GWOnEALsYwkKosOjkHpjp6wFfR17lSa2Z2MXl6VzgBlNHf3Ilxxbb3ww0dGEa+Cnk9XWwT9RXfo4PkxG6bOi2+LZX5ZBudE==5Dtl-----END PGP SIGNATURE-----
C
C
Christopher Baines wrote on 29 Jun 2019 00:25
(name . Ludovic Courtès)(address . ludo@gnu.org)
871rzdmjok.fsf@cbaines.net
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (12 lines)> Hello,>> Robert Vollmert <rob@vllmrt.net> skribis:>>> This changes to 'peer' authentication for local socket connections,>> and password-based authentication for local network connections.>>>> * gnu/services/databases.scm (%default-postgres-hba): Change>> authentication method.>> That sounds reasonable to me. Chris, WDYT?
I'm definitely no authority on PostgreSQL authentication, but thissounds sensible to me.
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl0Wk9tfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNFODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE9XcG8BAAua1MZ3iO/lBa4lHEaUSgZsYljdSbWdnNkvQnGrKGqfIPxfO3r/VD6FeXwp9pclj0az0Hm5RsQ1tFffooUY8CdEi/oTw4Jxk/9uEArC2JKsd4vgSsLgXtpautuaS2tlGI2OoHuy27O3tDYigYsg54T7cID6ZEOfj6l54RZiTei1wWLMwEj4CNIQi/JKqQJoY/A0MVatUWoqxgniGG4uiFVVD2ZAkXk0S/gWmqS1VcPma02TLLhV/h21NgDhVaO2ltJsX0RGHJ7SDybNbXHs6Qf6fewS36CkTN8C6Xgds717ohELXlTCnzBnQhbypVBM7kHL+l5q3k3NLsALWFHkpeUzV4cABpUkcYaR72nIHdkxoy+snIGwFEKJstLiE1U5FgNvtWinT7f7BXSE4BWf+tR6uhyoeuqaLJM7kcwDqK8rPnjm6YoCKT6AO866T2QY/paQQHvb0NWHUh7DbBbq1P+E9t5MuKyZ4E3Bp1+nHrr4ESRvXKKsAusjzsivWy/aYVRURYyudryfIp2JpcKktjh05dvfD6srld87FcTGqncIMQXQB29AQDOG7YkLehHIWijKFrIpxdapl2VOEJPCgUrZ3qA/A4xSLXw59lMpfczKmM6J/L0kW5GPw+SbB30ALaKUxbMBWqieFA8mabWXobs/6hwU7nC/ZMHqrsthW+R0g==klXG-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 2 Jul 2019 17:11
(name . Giovanni Biscuolo)(address . g@xelera.eu)
87imsk79p1.fsf@gnu.org
Hello,
Giovanni Biscuolo <g@xelera.eu> skribis:
Toggle quote (3 lines)> It's very reasonable to have such default auth methods for PostgresSQL:> we should apply this patch
Christopher Baines <mail@cbaines.net> skribis:
Toggle quote (3 lines)> I'm definitely no authority on PostgreSQL authentication, but this> sounds sensible to me.
Alright, applied, thanks for your feedback!
Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 36191@debbugs.gnu.org