Skip to content

Security issue: Newly created roles with password are allowed to connect w/o password prompt #29

New issue
New issue
Closed
Closed
Security issue: Newly created roles with password are allowed to connect w/o password prompt#29
@uazure

Description

@uazure
uazure
opened on Oct 30, 2014

How to reproduce:

  • run a container to listen on some port, create new user and database:

    docker run -p 5432:5432 -d --name postgres postgres:9.3.5
    psql -h localhost -p 5432 -U postgres
    =# create database test; create user test with password 'test'; GRANT ALL privileges ON DATABASE test TO test; \q

After that I would expect that test user can login using his/her password.

psql -h localhost -p 5432 -U test

But password is not required(!!!)
This is really weird and unexpected behavior.

Activity

yosifkit

yosifkit commented on Oct 31, 2014

@yosifkit
yosifkit
on Oct 31, 2014
Member

"Client authentication is controlled by a configuration file, which traditionally is named pg_hba.conf and is stored in the database cluster's data directory" (postgresql.org). I think you just need to provide a different pg_hba.conf that makes postgres use the users table, or set the authentication in there.

md5
mentioned this on Nov 11, 2014
yosifkit

yosifkit commented on Feb 11, 2015

@yosifkit
yosifkit
on Feb 11, 2015
Member

fixed in #36.

yosifkit
closed this as completedon Feb 11, 2015
Andrew-Morozko
mentioned this on May 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @uazure@yosifkit

        Issue actions
          Security issue: Newly created roles with password are allowed to connect w/o password prompt · Issue #29 · docker-library/postgres