Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Postgres accepts any password

Tags:

postgresql

I have the following code which connects to a database on my remote server (the connection script resides on the same server):

Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);

The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!

Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?

How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck: How to change PostgreSQL user password?

I am running Ubuntu 12.04 server with PHP 5.5 and Apache2

like image 987
Kevin Orriss Avatar asked Jan 10 '14 21:01

Kevin Orriss


People also ask

How do I connect to PostgreSQL without a password?

To make that entry work, do not specify a hostname or port for psql , then it will use a "local" connection through named pipes. Alternatively, you can local with host and then add 127.0. 0.1 as the (client) IP address to "trust".

Should postgres user have a password?

For most systems, the default Postgres user is postgres and a password is not required for authentication. Thus, to add a password, we must first login and connect as the postgres user.

How do I enable password authentication in PostgreSQL?

To authenticate network connections from the PostgreSQL server's machine (non-socket connections) using passwords, you need to match a host connection type instead of local . You can then limit the acceptable addresses to the local loopback devices and allow users to authenticate using md5 or scram-sha-256 .

How does postgres store passwords?

PostgreSQL database passwords are separate from operating system user passwords. The password for each database user is stored in the pg_authid system catalog. Passwords can be managed with the SQL commands CREATE ROLE and ALTER ROLE, e.g., CREATE ROLE foo WITH LOGIN PASSWORD 'secret' , or the psql command \password .


1 Answers

Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.

Some considerations:

  • Do you see data? Or can you just connect to the server? Can you list the databases?

  • Look at your pg_hba.conf and setup the proper permissions, per role per database per source

  • Did you grant access to the mydatabase to everyone? Which roles did you grant access?

  • Does the database have its tables in the public scheme? And granted access to the public?

  • Yes, with this configuration everyone who knows your IP and database name can connect to your database.

like image 149
stUrb Avatar answered Oct 21 '22 04:10

stUrb