Message-Id: <9205181813.AA15948@postgres.Berkeley.EDU>
From: mer@postgres.Berkeley.EDU
Subject: Re: any user can contect to postgres
To: postgres@postgres.berkeley.edu
Sender: pg_adm@postgres.berkeley.edu
In-Reply-To: Your message of "Mon, 18 May 92 16:53:00 +0200."
             <9205181452.AA13183@postgres.Berkeley.EDU> 
Date: Mon, 18 May 92 11:17:37 -0700
From: mer@postgres.Berkeley.EDU

In message <9205181452.AA13183@postgres.Berkeley.EDU> you write:
> Two weeks ago there was a discussion, started by me, about the fact that on
> Sun SPARCs any user can connect to postgres via the monitor.  Jeff Meredith
> indicated that "this isn't supposed to happen".  Could he, perhaps, let us
> know why this happens and whether it is possible to fix this problem?  (Or
> resend any mail that I, for some unknown reason, missed.)
> 
> To refresh all our memories I will quote djones%super@uunet.UU.NET:
> 
> > First a note of confirmation of the previous security problem posting.
> > On Sun (SPARC2,IPC) SunOS (4.1.1, 4.1.1B, 4.1.2) *any* user can do the
> > following:
> > 	/usr/postgres/bin/monitor foo
> > and proceed to mung the database foo.  I don't know about other platforms,
> > but it is a serious detriment to doing "real" work with postgres.  Anyone
> > can maliciously delete all of your data. Is there any chance this will be
> > fixed in the upcoming release?

I'm a little confused by your problem as I don't see the same behavior on
my sparc.  It could be that the problem has been fixed since 3.1.  I will
go over the code that does the check.


Jeff Meredith
+-----------------------------+
| Think POSTGRES, act locally |