Skip to content

Security issue: Newly created roles with password are allowed to connect w/o password prompt #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
uazure opened this issue Oct 30, 2014 · 2 comments
Closed

Security issue: Newly created roles with password are allowed to connect w/o password prompt #29

uazure opened this issue Oct 30, 2014 · 2 comments

Comments

@uazure
Copy link

uazure commented Oct 30, 2014

How to reproduce:

  • run a container to listen on some port, create new user and database:

    docker run -p 5432:5432 -d --name postgres postgres:9.3.5
    psql -h localhost -p 5432 -U postgres
    =# create database test; create user test with password 'test'; GRANT ALL privileges ON DATABASE test TO test; \q

After that I would expect that test user can login using his/her password.

psql -h localhost -p 5432 -U test

But password is not required(!!!)
This is really weird and unexpected behavior.
@yosifkit
Copy link
Member

"Client authentication is controlled by a configuration file, which traditionally is named pg_hba.conf and is stored in the database cluster's data directory" (postgresql.org). I think you just need to provide a different pg_hba.conf that makes postgres use the users table, or set the authentication in there.

@md5 md5 mentioned this issue Nov 11, 2014
Closed
@yosifkit
Copy link
Member

fixed in #36.

@Andrew-Morozko Andrew-Morozko mentioned this issue May 14, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uazure @yosifkit