SEO

Why does the windows installer require a password for the superuser
account, since it's perfectly legitimate not to have a password on
that account? I could see perhaps producing a warning, but making
this a hard requirement seems like overkill.
--
Decibel!, aka Jim Nasby decibel@decibel.org
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)



---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

http://www.postgresql.org/about/donate

Decibel! wrote:
> Why does the windows installer require a password for the superuser
> account, since it's perfectly legitimate not to have a password on that
> account? I could see perhaps producing a warning, but making this a hard
> requirement seems like overkill.

Security out of the box. There are few, if any good reasons not to have
a password on the account, and if you really want to remove it, you can
do so in psql or pgAdmin.

Regards, Dave.

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

http://www.postgresql.org/about/donate

On Fri, Aug 31, 2007 at 09:02:49AM +0100, Dave Page wrote:
> Decibel! wrote:
> > Why does the windows installer require a password for the superuser
> > account, since it's perfectly legitimate not to have a password on that
> > account? I could see perhaps producing a warning, but making this a hard
> > requirement seems like overkill.
>
> Security out of the box. There are few, if any good reasons not to have
> a password on the account, and if you really want to remove it, you can
> do so in psql or pgAdmin.

Is there something insecure about using ident sameuser for localhost
authentication on Windows?
--
Decibel!, aka Jim Nasby decibel@decibel.org
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)

iD8DBQFG2DYmdO30qud8SkgRAh+KAJ4leDuuzP9IemfX483F2V F6k0e5TgCfQUhv
v4dGJUsCG1m15d/deg/XaF8=
=nIJx
-----END PGP SIGNATURE-----

Decibel! wrote:
> On Fri, Aug 31, 2007 at 09:02:49AM +0100, Dave Page wrote:
>> Decibel! wrote:
>>> Why does the windows installer require a password for the superuser
>>> account, since it's perfectly legitimate not to have a password on that
>>> account? I could see perhaps producing a warning, but making this a hard
>>> requirement seems like overkill.
>> Security out of the box. There are few, if any good reasons not to have
>> a password on the account, and if you really want to remove it, you can
>> do so in psql or pgAdmin.
>
> Is there something insecure about using ident sameuser for localhost
> authentication on Windows?

Windows doesn't have ident (though there are 3rd party products).

Regards Dave

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Decibel! wrote:
> Is there something insecure about using ident sameuser for localhost
> authentication on Windows?
>

FWIW, I never advise people to use ident auth for postgres except on
local (a.k.a. Unix domain socket) connections, which don't exist on Windows.

cheers

andrew

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

On Fri, Aug 31, 2007 at 12:37:16PM -0400, Andrew Dunstan wrote:
>
>
> Decibel! wrote:
> >Is there something insecure about using ident sameuser for localhost
> >authentication on Windows?
> >
>
> FWIW, I never advise people to use ident auth for postgres except on
> local (a.k.a. Unix domain socket) connections, which don't exist on Windows.

Is it easy to spoof where an incoming connection request is coming from?
Is there something else that makes ident on 127.0.0.1/32 insecure?
--
Decibel!, aka Jim Nasby decibel@decibel.org
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)

iD8DBQFG2FAadO30qud8SkgRAt4oAKDOQL7jzEPB9vIeKvgPkl f/zPEL9wCg1O9d
xSX/OwrsXnYGefDhy6cEAcM=
=5+h7
-----END PGP SIGNATURE-----

On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote:
>
> Is it easy to spoof where an incoming connection request is coming from?
> Is there something else that makes ident on 127.0.0.1/32 insecure?

It shouldn't be easy. Ident uses TCP, which is rather harder to
spoof. If someone can originate spoofed TCP packets from 127.0.0.1,
you gots bigger problems than them being able to lie about the
identity of a user.

A

--
Andrew Sullivan | ajs@crankycanuck.ca
However important originality may be in some fields, restraint and
adherence to procedure emerge as the more significant virtues in a
great many others. --Alain de Botton

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at

http://www.postgresql.org/about/donate

"Andrew Sullivan" <ajs@crankycanuck.ca> writes:

> On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote:
>>
>> Is it easy to spoof where an incoming connection request is coming from?
>> Is there something else that makes ident on 127.0.0.1/32 insecure?
>
> It shouldn't be easy. Ident uses TCP, which is rather harder to
> spoof.

Say what? It's actually quite easy to spoof TCP. There are even command-line
tools to do it available in most Unix distributions.

> If someone can originate spoofed TCP packets from 127.0.0.1, you gots bigger
> problems than them being able to lie about the identity of a user.

Well yes, there are other insecure services which look at the originating ip
address. But hopefully fewer and fewer as time goes on. Once upon a time X was
a big target since most X servers shipped trusting 127.0.0.1 and you could
slip a request into the first data packet to trust other ip addresses which
made attacking it considerably easier. These days X doesn't use ip addresses
to handle authorization any more.

Also modern distributions, at least on Linux, tend to install ip filters to
block packets with source addresses like 127/8 coming from an external
interface. However even today I wouldn't be confident that all operating
systems do so or that they work correctly in all circumstances.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

On Fri, Aug 31, 2007 at 07:07:40PM +0100, Gregory Stark wrote:
> >
> > It shouldn't be easy. Ident uses TCP, which is rather harder to
> > spoof.
>
> Say what? It's actually quite easy to spoof TCP. There are even command-line
> tools to do it available in most Unix distributions.

Sorry, I should have been more precise. It's hard to spoof TCP
easily and usefully. It's trivial to spoof a TCP packet and send it,
but because TCP depends on the handshake, there's a bunch of
additional overhead that make the whole thing fragile: intermediate
firewalls and such like tend to detect these things and prevent their
continued use. (This is all in comparison with UDP, which is
completely trivial to spoof. In the absence of BCP38, it's also
almost impossible to detect, which is why the DNS is so vulnerable
these days.)

> > If someone can originate spoofed TCP packets from 127.0.0.1, you
> > gots bigger problems than them being able to lie about the
> > identity of a user.
>
> Well yes, there are other insecure services which look at the
> originating ip address.

I was thinking that, if your operating system is accepting packets
from 127.0.0.1 on an external interface, you're already in a world of
hurt. And if someone is able to fiddle with the packets on your own
box, then they have root anyway; they can do anything they want. If
you haven't set up your systems so that this kind of attack is
impossible from localhost, well, I don't think that anything at the
application's level of security is going to do you any good at all.

Indeed, I would argue that, for industrial-class data centre use, if
you can't use ident between machines, your network security is in
very bad shape. (That isn't to say I think it's a good idea; but
rather, that I hope the network is well enough run that, even if you
did run it, it would not represent a real risk.)

--
Andrew Sullivan | ajs@crankycanuck.ca
This work was visionary and imaginative, and goes to show that visionary
and imaginative work need not end up well.
--Dennis Ritchie

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

On Fri, Aug 31, 2007 at 02:38:25PM -0400, Andrew Sullivan wrote:
> Indeed, I would argue that, for industrial-class data centre use, if
> you can't use ident between machines, your network security is in
> very bad shape. (That isn't to say I think it's a good idea; but
> rather, that I hope the network is well enough run that, even if you
> did run it, it would not represent a real risk.)

ISTM that if someone breaches your network to the point where they can
spoof identd, you're pretty much hosed anyway; so what's the point of
hard-coding passwords in a config file somewhere then?
--
Decibel!, aka Jim Nasby decibel@decibel.org
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)

iD8DBQFG2GgDdO30qud8SkgRAnGtAJ9rMwoUaosmpZirJqhI0X pp+ULmrgCfUYqV
Eu+M+Q4o2+Z4SfKeCrep8Q4=
=WiZG
-----END PGP SIGNATURE-----