Return-Path: pg_adm@postgres.berkeley.edu
Received: by postgres.Berkeley.EDU (5.61/1.29)
	id AA13183; Mon, 18 May 92 07:52:53 -0700
Message-Id: <9205181452.AA13183@postgres.Berkeley.EDU>
From: Stuart Pook <stuart@exogene.genethon.fr>
Subject: any user can contect to postgres
To: postgres@postgres.berkeley.edu
Sender: pg_adm@postgres.berkeley.edu
Organization: Genethon, 13 Place de Rungis, 75013 Paris, France
 tel +33 1 45.65.13.00, fax +33 1 45.88.52.20
X-Face: "6o}6kk")qjUnYYq-`3_.vGq;@xj`3>#I/>4>E>DldCv:X#2%Rm+dr9HVN`g'#QgZFgsYsY
 .Q)bH:AoaW(n~=2B4aY?Q?{)1]&J+:LRX,qB>k{=6`K#2tRitzHKmi_9`}Lx0xdI*r!?MVNj7za"pZ
 *_QEm})y`y=vyyy~^0GY"HTvSCnv}eP*?{%zJ<r'BRk[r|J#;Im"Vp]!L
Date: Mon, 18 May 92 16:53:00 +0200
From: Stuart Pook <stuart@exogene.genethon.fr>

Two weeks ago there was a discussion, started by me, about the fact that on
Sun SPARCs any user can connect to postgres via the monitor.  Jeff Meredith
indicated that "this isn't supposed to happen".  Could he, perhaps, let us
know why this happens and whether it is possible to fix this problem?  (Or
resend any mail that I, for some unknown reason, missed.)

To refresh all our memories I will quote djones%super@uunet.UU.NET:

> First a note of confirmation of the previous security problem posting.
> On Sun (SPARC2,IPC) SunOS (4.1.1, 4.1.1B, 4.1.2) *any* user can do the
> following:
> 	/usr/postgres/bin/monitor foo
> and proceed to mung the database foo.  I don't know about other platforms,
> but it is a serious detriment to doing "real" work with postgres.  Anyone
> can maliciously delete all of your data. Is there any chance this will be
> fixed in the upcoming release?

Thanks heaps!

Stuart Pook