Return-Path: pg_adm@postgres.berkeley.edu
Received: by postgres.Berkeley.EDU (5.61/1.29)
	id AA15522; Wed, 6 May 92 05:35:10 -0700
Message-Id: <9205061235.AA15522@postgres.Berkeley.EDU>
From: Stuart Pook <stuart@genethon.genethon.fr>
Subject: Re: Using Postgres from Unix and security
To: postgres@postgres.berkeley.edu
Sender: pg_adm@postgres.berkeley.edu
Cc: postgres@postgres.berkeley.edu
In-Reply-To: Your message of Wed, 06 May 92 14:58:01 +0300.
             <9205061158.AA21019@humus.cs.huji.ac.il> 
Organization: Genethon, 13 Place de Rungis, 75013 Paris, France
 tel +33 1 45.65.13.00, fax +33 1 45.88.52.20
X-Face: "6o}6kk")qjUnYYq-`3_.vGq;@xj`3>#I/>4>E>DldCv:X#2%Rm+dr9HVN`g'#QgZFgsYsY
 .Q)bH:AoaW(n~=2B4aY?Q?{)1]&J+:LRX,qB>k{=6`K#2tRitzHKmi_9`}Lx0xdI*r!?MVNj7za"pZ
 *_QEm})y`y=vyyy~^0GY"HTvSCnv}eP*?{%zJ<r'BRk[r|J#;Im"Vp]!L
Date: Wed, 06 May 92 14:34:44 +0200
From: Stuart Pook <stuart@genethon.genethon.fr>

You write:
> Dear Stuart:
> 
> Jeff Meredith wrote:
>
> "Any postgres user can access any database and examine or modify any relation.
> The postgres rule systems can provide a rather unique way of doing your
> own security.  i.e. defining rules to protect your relations. There is
> currently no builtin mechanism to for determining whose accessing the system,
> but you can define your own function to determine this.

Can you give me an example of how to do this?

> However,
> without network security and serious DBMS support these measures would be
> easy to circumvent."

I have done this (at least to some extent).  I have modified the
postmaster so that it only accepts connections from my subnet and only
connections from privileged tcp ports.  I have modified the monitor so
that it is setuid root, uses a privileged port, and calls getuid(2) and
getpwent(3) to determine the user name to send to the postmaster.  In
this way the user name that the postmaster receives will be correct.
This was easy so I don't really know why somebody has not already done
it.  Perhaps I have missed something obvious.  Once I am sure that I am
not being naive I will post the patches.

The reason that I was forced to make these changes was that the default
configuration allows anybody on the Internet who knows my machine name
(not hard to find out if you look at the header of this mail) and the
port number (the default is 4321) to connect to my postgres server as
any postgres user.  Once connected this person can read or destroy any
database.

Note that I was using the unmodified programs when I discovered that
any unix user (even when they are not being devious) can connect to
postgres.

Stuart Pook