[bug#36191] [PATCH] gnu: postgres service: More secure default permissions.

[bug#36191] [PATCH] gnu: postgres service: More secure default permissions.

[Robert Vollmert]

This changes to 'peer' authentication for local socket connections,
and password-based authentication for local network connections.

* gnu/services/databases.scm (%default-postgres-hba): Change
authentication method.
---
 gnu/services/databases.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 7113f1f2a1..ec31489d48 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2019 Robert Vollmert <rob@vllmrt.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -91,9 +92,9 @@
 (define %default-postgres-hba
   (plain-file "pg_hba.conf"
               "
-local	all	all			trust
-host	all	all	127.0.0.1/32 	trust
-host	all	all	::1/128 	trust"))
+local	all	all			peer
+host	all	all	127.0.0.1/32 	md5
+host	all	all	::1/128 	md5"))
 
 (define %default-postgres-ident
   (plain-file "pg_ident.conf"
-- 
2.20.1 (Apple Git-117)

[bug#36191] [PATCH] gnu: postgres service: More secure default permissions.

[Ludovic Courtès]

Hello,

Robert Vollmert <rob@vllmrt.net> skribis:

> This changes to 'peer' authentication for local socket connections,
> and password-based authentication for local network connections.
>
> * gnu/services/databases.scm (%default-postgres-hba): Change
> authentication method.

That sounds reasonable to me.  Chris, WDYT?

Thanks,
Ludo’.

[bug#36191] [PATCH] gnu: postgres service: More secure default permissions.

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 563 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Robert Vollmert <rob@vllmrt.net> skribis:
>
>> This changes to 'peer' authentication for local socket connections,
>> and password-based authentication for local network connections.
>>
>> * gnu/services/databases.scm (%default-postgres-hba): Change
>> authentication method.
>
> That sounds reasonable to me.  Chris, WDYT?

It's very reasonable to have such default auth methods for PostgresSQL:
we should apply this patch

Thanks Robert!

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#36191] [PATCH] gnu: postgres service: More secure default permissions.

[Christopher Baines]

[-- Attachment #1: Type: text/plain, Size: 487 bytes --]


Ludovic Courtès <ludo@gnu.org> writes:

> Hello,
>
> Robert Vollmert <rob@vllmrt.net> skribis:
>
>> This changes to 'peer' authentication for local socket connections,
>> and password-based authentication for local network connections.
>>
>> * gnu/services/databases.scm (%default-postgres-hba): Change
>> authentication method.
>
> That sounds reasonable to me.  Chris, WDYT?

I'm definitely no authority on PostgreSQL authentication, but this
sounds sensible to me.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]

bug#36191: [PATCH] gnu: postgres service: More secure default permissions.

[Ludovic Courtès]

Hello,

Giovanni Biscuolo <g@xelera.eu> skribis:

> It's very reasonable to have such default auth methods for PostgresSQL:
> we should apply this patch

Christopher Baines <mail@cbaines.net> skribis:

> I'm definitely no authority on PostgreSQL authentication, but this
> sounds sensible to me.

Alright, applied, thanks for your feedback!

Ludo’.