From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A39DC1381F3 for ; Tue, 23 Apr 2013 18:10:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 93DF0E09F4; Tue, 23 Apr 2013 18:10:16 +0000 (UTC) Received: from smtpq2.gn.mail.iss.as9143.net (smtpq2.gn.mail.iss.as9143.net [212.54.34.165]) by pigeon.gentoo.org (Postfix) with ESMTP id 5B6E1E09CA for ; Tue, 23 Apr 2013 18:10:15 +0000 (UTC) Received: from [212.54.34.135] (helo=smtp4.gn.mail.iss.as9143.net) by smtpq2.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1UUhfS-0008TL-QA for gentoo-user@lists.gentoo.org; Tue, 23 Apr 2013 20:10:14 +0200 Received: from 54698b76.cm-12-2c.dynamic.ziggo.nl ([84.105.139.118] helo=data.antarean.org) by smtp4.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1UUhfS-0005gL-Cs for gentoo-user@lists.gentoo.org; Tue, 23 Apr 2013 20:10:14 +0200 Received: from [10.20.13.51] (unknown [10.20.13.51]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by data.antarean.org (Postfix) with ESMTPSA id EDB444B for ; Tue, 23 Apr 2013 20:09:56 +0200 (CEST) User-Agent: K-9 Mail for Android In-Reply-To: <20130423154742.GC19375@syscon7.inet> References: <20130423001731.GB5934@syscon7.inet> <81bef797b52ca11c567d3e5a93c9d7e4.squirrel@www.antarean.org> <20130423123737.GB19375@syscon7.inet> <56cede771dcbb26af7fb96d215b6bca0.squirrel@www.antarean.org> <20130423154742.GC19375@syscon7.inet> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Subject: Re: [gentoo-user] PosgreSQL - pg_hba.conf localhost access only From: "J. Roeleveld" Date: Tue, 23 Apr 2013 20:10:12 +0200 To: gentoo-user@lists.gentoo.org Message-ID: <02354e00-f504-43d7-a22a-608aee8e7724@email.android.com> Content-Transfer-Encoding: quoted-printable X-Ziggo-spambar: ---- X-Ziggo-spamscore: -4.9 X-Ziggo-spamreport: ALL_TRUSTED=-1,BAYES_00=-1.9,PROLO_TRUST_RDNS=-3,RDNS_DYNAMIC=0.982 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Archives-Salt: 33186dad-3aa0-4bc7-b918-e6897dd9df52 X-Archives-Hash: 491bed2015d8e8c21c2ed61bdda68693 Joseph wrote: >On 04/23/13 15:57, J. Roeleveld wrote: >>On Tue, April 23, 2013 14:37, Joseph wrote: >>> On 04/23/13 10:07, J. Roeleveld wrote: >>>>On Tue, April 23, 2013 02:17, Joseph wrote: >>>>> In my "pg_hba.conf" I have: >>>>> >>>>> local all all trust >>>>> host all all 127.0.0.1/32 =20 >trust >>>>> >>>>> I was under impression that this is configuration is for localhost >>>>> "127.0.0.1" access only. >>>>> But to my surprise I can access my database from other machine on >my >>>>> network and even from another sub-network that I'm connected to >via VPN >>>>> >>>>> How this authentication/access work? >>>> >>>>Normally that should be sufficient. >>>>On which machine does the client-software run? >>>> >>>>-- >>>>Joost Roeleveld >>> >>> postgresql server runs on my machine but all other machines on the >network >>> including the one on remote location that I'm connected to via VPN >can >>> connect to postgresql >>> database. >>> I don't want other machine to have access to my server database. >>> >>> Even with a single line in pg_hba.conf >>> local all all trust >>> >>> all other machine on the network can connect to my postgresql >database. >> >>If the PostgreSQL database is running on machine X. >>And you are using machine Y. >> >>What command do you type to connect on machine Y? >> >>-- >>Joost > >I'm using SQL-Ledger (firefox) to access the postgresql. >Brief history: >I had a problem in the past when I upgraded to posgresql-9.1, all of a >sudden I could not access the sql-ledger. > >The solution was to add "postgres group" to apache user. >The reason for it was the change in directory permission: > >postgresql 8.x >drwxrwx--x 2 postgres postgres 4096 Dec 14 19:57 /var/run/postgresql/ > >postgresql 9.x >drwxrwx--- 2 postgres postgres 4096 Dec 19 13:21 /var/run/postgresql/=20 > >So:=20 >groups apache >apache postgres > >groups postgres >postgres > >I hope this is correct as adding group "apache" to postgres user does >not work. > >But I just realized that any user from local network can access my >sql-ledger using browser. >--=20 >Joseph Joseph. I am guessing Apache is running on the same machine as your Postgresql se= rver? In this case. The connection will always originate from localhost and Pos= tgresql is behaving as it should. You will need to secure access to the website to avoid people accessing i= t. Kind regards Joost Roeleveld --=20 Sent from my Android phone with K-9 Mail. Please excuse my brevity.