Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Postgres accepts any password

Tags:

postgresql

I have the following code which connects to a database on my remote server (the connection script resides on the same server):

Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);

The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!

Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?

How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck: How to change PostgreSQL user password?

I am running Ubuntu 12.04 server with PHP 5.5 and Apache2

like image 987
Kevin Orriss Avatar asked Jan 10 '14 21:01

Kevin Orriss

People also ask

How do I connect to PostgreSQL without a password?

To make that entry work, do not specify a hostname or port for psql , then it will use a "local" connection through named pipes. Alternatively, you can local with host and then add 127.0. 0.1 as the (client) IP address to "trust".

Should postgres user have a password?

For most systems, the default Postgres user is postgres and a password is not required for authentication. Thus, to add a password, we must first login and connect as the postgres user.

How do I enable password authentication in PostgreSQL?

To authenticate network connections from the PostgreSQL server's machine (non-socket connections) using passwords, you need to match a host connection type instead of local . You can then limit the acceptable addresses to the local loopback devices and allow users to authenticate using md5 or scram-sha-256 .

How does postgres store passwords?

PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE ROLE and ALTER ROLE, e.g., CREATE ROLE foo WITH LOGIN PASSWORD 'secret' , or the psql command \password .

1 Answers

Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.

Some considerations:

  • Do you see data? Or can you just connect to the server? Can you list the databases?

  • Look at your pg_hba.conf and setup the proper permissions, per role per database per source

  • Did you grant access to the mydatabase to everyone? Which roles did you grant access?

  • Does the database have its tables in the public scheme? And granted access to the public?

  • Yes, with this configuration everyone who knows your IP and database name can connect to your database.

like image 149
stUrb Avatar answered Oct 21 '22 04:10

stUrb
Sign in to Comment

Related questions

How to connect to Traefik TCP Services with TLS configuration enabled?
Visual Studio database project alternative for PostgreSQL? [closed]
Is it possible to use postgresql 9.3 json type in associations (belongs_to) as foreign_key
'Unicode' vs. 'String' with SQLAlchemy and PostgreSQL
Using dynamic models in Django framework
PostgreSQL - implementing a reliable queue
Spring data repository sends null as bytea to PostgreSQL database
How to fix PG::DuplicatePstatement: ERROR?
Django ORM leaves idle connections on Postgres DB
PostgreSql: 'utf8' codec can't decode byte 0xe9 in position 42: invalid continuation byte
How to ALTER a view in PostgreSQL
What type should I use to store emoji in PostgreSQL?
Unique together involving multiple foreign keys & a many to many field
How to add custom DB provider to be accessible in Visual Studio?
Recursive query used for transitive closure
Execute multiple queries in a single statement using postgres and node js
Multiple LEFT JOINs - what is the "left" table?
FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "prod", SSL off
What options do I have for creating OLAP cubes with Postgres and making it accessible via .net webservices/wcf? [closed]
How to use USING clause in Alembic/SQLAchemy?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!