Return-Path: pg_adm@postgres.berkeley.edu Received: by postgres.Berkeley.EDU (5.61/1.29) id AA14016; Wed, 6 May 92 02:28:51 -0700 Message-Id: <9205060928.AA14016@postgres.Berkeley.EDU> From: Stuart Pook Subject: Re: Using Postgres from Unix and security To: postgres@postgres.berkeley.edu Sender: pg_adm@postgres.berkeley.edu In-Reply-To: Your message of Tue, 05 May 92 22:33:24 -0700. <9205060533.AA11978@postgres.Berkeley.EDU> Organization: Genethon, 13 Place de Rungis, 75013 Paris, France tel +33 1 45.65.13.00, fax +33 1 45.88.52.20 X-Face: "6o}6kk")qjUnYYq-`3_.vGq;@xj`3>#I/>4>E>DldCv:X#2%Rm+dr9HVN`g'#QgZFgsYsY .Q)bH:AoaW(n~=2B4aY?Q?{)1]&J+:LRX,qB>k{=6`K#2tRitzHKmi_9`}Lx0xdI*r!?MVNj7za"pZ *_QEm})y`y=vyyy~^0GY"HTvSCnv}eP*?{%zJ > > I have compiled and installed postgres, run initdb, launched a > > postmaster, and created a database called foo. I have not run createuser. > > I find that any user can run "/usr/postgres/bin/monitor foo" and change > > the contents of the database foo. This behaviour does not seem to agree > > with the documentation cited above. Am I confused? > > No, this isn't supposed to happen. What machine do you use? I am using a Sun SPARC. I compiled the programs on a SPARC running SunOS 4.1.1 with various patches, I am running the postmaster on another SPARC running SunOS 4.1.2, and another user using /usr/postgres/bin/monitor on the original machine can use and change the database foo. Should I be able to control the access to each database individually or only to postgres (ie all the databases) as a whole? I have just received some mail from djones%super@uunet.UU.NET, he says: > I don't know about other platforms, > but it is a serious detriment to doing "real" work with postgres. Anyone > can maliciously delete all of your data. Is there any chance this will be > fixed in the upcoming release? I agree; a fix is urgently needed. Does this problem not occur on other platforms? Stuart Pook