Обсуждение: Password for postgresql superuser?

Is there any security risk in the postgresql superuser having a password?

I installed a Linux distro recently and had it install Postgresql.  It automatically set up the postgres account; the
accountwas set up with no password. 

I could of course create a password, but it's not clear to me that's a good thing from a security standpoint.

Sorry; I meant a password at the operating system level, not at the postgresql level.

On my Linux system, without an OS level password, the only way to log in (in Linux) to the postgres account is by
su'ingfrom root, which seems more secure than having a password for the postgres account. 

----- Original Message -----
From: "jqpx37" <jqpx37@iprive.com>
To: pgsql-general@postgresql.org
Sent: Thursday, June 08, 2006 11:05 AM
Subject: [GENERAL] Password for postgresql superuser?

 Is there any security risk in the postgresql superuser having a password?

 I installed a Linux distro recently and had it install Postgresql.  It automatically set up the postgres account; the
accountwas set up with no password. 

 I could of course create a password, but it's not clear to me that's a good thing from a security standpoint.
 ---------------------------(end of broadcast)---------------------------
 TIP 3: Have you checked our extensive FAQ?

                http://www.postgresql.org/docs/faq

On Thu, 2006-06-08 at 09:08 -0600, jqpx37 wrote:
> Sorry; I meant a password at the operating system level, not at the postgresql level.
>
> On my Linux system, without an OS level password, the only way to log in (in Linux) to the postgres account is by
su'ingfrom root, which seems more secure than having a password for the postgres account. 

Have you tried sudo ("sudo" command)?

It asks for a personal password, and grants whatever priviledge is
configured for that person, even root priviledge.

-R

> ----- Original Message -----
> From: "jqpx37" <jqpx37@iprive.com>
> To: pgsql-general@postgresql.org
> Sent: Thursday, June 08, 2006 11:05 AM
> Subject: [GENERAL] Password for postgresql superuser?
>
>  Is there any security risk in the postgresql superuser having a password?
>
>  I installed a Linux distro recently and had it install Postgresql.  It automatically set up the postgres account;
theaccount was set up with no password. 
>
>  I could of course create a password, but it's not clear to me that's a good thing from a security standpoint.
>  ---------------------------(end of broadcast)---------------------------
>  TIP 3: Have you checked our extensive FAQ?
>
>                 http://www.postgresql.org/docs/faq
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
>                http://archives.postgresql.org
--
-R

jqpx37@iprive.com ("jqpx37") writes:

> Is there any security risk in the postgresql superuser having a
> password?
>
> I installed a Linux distro recently and had it install Postgresql.
> It automatically set up the postgres account; the account was set up
> with no password.
>
> I could of course create a password, but it's not clear to me that's
> a good thing from a security standpoint.

That depends on your security policies.

There's a pretty good argument to be made that a 'postgres' account
should only permit people in via "su -", in which case it might not
need to have an individual password...
--
(format nil "~S@~S" "cbbrowne" "cbbrowne.com")
http://www3.sympatico.ca/cbbrowne/oses.html
"If you give someone Fortran, he has Fortran.
If you give someone Lisp, he has any language he pleases."
-- Guy L. Steele Jr.

----- Original Message -----
From: "Chris Browne" <cbbrowne@acm.org>
To: pgsql-general@postgresql.org
Sent: Thursday, June 08, 2006 01:30 PM
Subject: [GENERAL] Password for postgresql superuser?

> jqpx37@iprive.com ("jqpx37") writes:
>
> > Is there any security risk in the postgresql superuser having a
> > password?
> >
> > I installed a Linux distro recently and had it install Postgresql.
> > It automatically set up the postgres account; the account was set up
> > with no password.
> >
> > I could of course create a password, but it's not clear to me that's
> > a good thing from a security standpoint.
>
> That depends on your security policies.
>
> There's a pretty good argument to be made that a 'postgres' account
> should only permit people in via "su -", in which case it might not
> need to have an individual password...

Thanks for your response.

I found allusions to the point your making, though no detailed explanation.  It makes sense even without a thorough
explication.

Best wishes

> --
> (format nil "~S@~S" "cbbrowne" "cbbrowne.com")
> http://www3.sympatico.ca/cbbrowne/oses.html
> "If you give someone Fortran, he has Fortran.
> If you give someone Lisp, he has any language he pleases."
> -- Guy L. Steele Jr.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faq