GNU bug report logs - #36191
[PATCH] gnu: postgres service: More secure default permissions.

Previous Next

Package: guix-patches;

Reported by: Robert Vollmert <rob <at> vllmrt.net>

Date: Thu, 13 Jun 2019 13:52:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 36191 in the body.
You can then email your comments to 36191 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#36191; Package guix-patches. (Thu, 13 Jun 2019 13:52:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Robert Vollmert <rob <at> vllmrt.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 13 Jun 2019 13:52:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Robert Vollmert <rob <at> vllmrt.net>
To: guix-patches <at> gnu.org
Cc: Robert Vollmert <rob <at> vllmrt.net>
Subject: [PATCH] gnu: postgres service: More secure default permissions.
Date: Thu, 13 Jun 2019 15:50:37 +0200

This changes to 'peer' authentication for local socket connections,
and password-based authentication for local network connections.

* gnu/services/databases.scm (%default-postgres-hba): Change
authentication method.
---
 gnu/services/databases.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 7113f1f2a1..ec31489d48 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Christopher Baines <mail <at> cbaines.net>
 ;;; Copyright © 2018 Clément Lassieur <clement <at> lassieur.org>
 ;;; Copyright © 2018 Julien Lepiller <julien <at> lepiller.eu>
+;;; Copyright © 2019 Robert Vollmert <rob <at> vllmrt.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -91,9 +92,9 @@
 (define %default-postgres-hba
   (plain-file "pg_hba.conf"
               "
-local	all	all			trust
-host	all	all	127.0.0.1/32 	trust
-host	all	all	::1/128 	trust"))
+local	all	all			peer
+host	all	all	127.0.0.1/32 	md5
+host	all	all	::1/128 	md5"))
 
 (define %default-postgres-ident
   (plain-file "pg_ident.conf"
-- 
2.20.1 (Apple Git-117)
Information forwarded to guix-patches <at> gnu.org:
bug#36191; Package guix-patches. (Tue, 25 Jun 2019 15:41:02 GMT) Full text and rfc822 format available.

Message #8 received at 36191 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Robert Vollmert <rob <at> vllmrt.net>
Cc: 36191 <at> debbugs.gnu.org, Christopher Baines <mail <at> cbaines.net>
Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default
 permissions.
Date: Tue, 25 Jun 2019 17:40:43 +0200

Hello,

Robert Vollmert <rob <at> vllmrt.net> skribis:

> This changes to 'peer' authentication for local socket connections,
> and password-based authentication for local network connections.
>
> * gnu/services/databases.scm (%default-postgres-hba): Change
> authentication method.

That sounds reasonable to me.  Chris, WDYT?

Thanks,
Ludo’.
Information forwarded to guix-patches <at> gnu.org:
bug#36191; Package guix-patches. (Wed, 26 Jun 2019 06:38:01 GMT) Full text and rfc822 format available.

Message #11 received at 36191 <at> debbugs.gnu.org (full text, mbox):

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Ludovic Courtès <ludo <at> gnu.org>,
 Robert Vollmert <rob <at> vllmrt.net>
Cc: 36191 <at> debbugs.gnu.org
Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default
 permissions.
Date: Wed, 26 Jun 2019 08:37:15 +0200

[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Robert Vollmert <rob <at> vllmrt.net> skribis:
>
>> This changes to 'peer' authentication for local socket connections,
>> and password-based authentication for local network connections.
>>
>> * gnu/services/databases.scm (%default-postgres-hba): Change
>> authentication method.
>
> That sounds reasonable to me.  Chris, WDYT?

It's very reasonable to have such default auth methods for PostgresSQL:
we should apply this patch

Thanks Robert!

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#36191; Package guix-patches. (Fri, 28 Jun 2019 22:26:01 GMT) Full text and rfc822 format available.

Message #14 received at 36191 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 36191 <at> debbugs.gnu.org, Robert Vollmert <rob <at> vllmrt.net>
Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default
 permissions.
Date: Fri, 28 Jun 2019 23:25:31 +0100

[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello,
>
> Robert Vollmert <rob <at> vllmrt.net> skribis:
>
>> This changes to 'peer' authentication for local socket connections,
>> and password-based authentication for local network connections.
>>
>> * gnu/services/databases.scm (%default-postgres-hba): Change
>> authentication method.
>
> That sounds reasonable to me.  Chris, WDYT?

I'm definitely no authority on PostgreSQL authentication, but this
sounds sensible to me.

[signature.asc (application/pgp-signature, inline)]
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Tue, 02 Jul 2019 15:12:01 GMT) Full text and rfc822 format available.
Notification sent to Robert Vollmert <rob <at> vllmrt.net>:
bug acknowledged by developer. (Tue, 02 Jul 2019 15:12:02 GMT) Full text and rfc822 format available.

Message #19 received at 36191-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Giovanni Biscuolo <g <at> xelera.eu>
Cc: 36191-done <at> debbugs.gnu.org, Robert Vollmert <rob <at> vllmrt.net>
Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default
 permissions.
Date: Tue, 02 Jul 2019 17:11:38 +0200

Hello,

Giovanni Biscuolo <g <at> xelera.eu> skribis:

> It's very reasonable to have such default auth methods for PostgresSQL:
> we should apply this patch

Christopher Baines <mail <at> cbaines.net> skribis:

> I'm definitely no authority on PostgreSQL authentication, but this
> sounds sensible to me.

Alright, applied, thanks for your feedback!

Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 31 Jul 2019 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 265 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.