From unknown Sat Aug 16 20:57:17 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#36191 <36191@debbugs.gnu.org> To: bug#36191 <36191@debbugs.gnu.org> Subject: Status: [PATCH] gnu: postgres service: More secure default permissions. Reply-To: bug#36191 <36191@debbugs.gnu.org> Date: Sun, 17 Aug 2025 03:57:17 +0000 retitle 36191 [PATCH] gnu: postgres service: More secure default permission= s. reassign 36191 guix-patches submitter 36191 Robert Vollmert severity 36191 normal tag 36191 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 13 09:51:06 2019 Received: (at submit) by debbugs.gnu.org; 13 Jun 2019 13:51:06 +0000 Received: from localhost ([127.0.0.1]:34771 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hbQ86-00062u-Iq for submit@debbugs.gnu.org; Thu, 13 Jun 2019 09:51:06 -0400 Received: from lists.gnu.org ([209.51.188.17]:53802) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hbQ84-00062V-0D for submit@debbugs.gnu.org; Thu, 13 Jun 2019 09:51:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57292) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hbQ81-0002I2-9l for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hbQ7y-0003iZ-AD for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:57 -0400 Received: from mx2a.mailbox.org ([2001:67c:2050:104:0:2:25:2]:54640 helo=mx2.mailbox.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hbQ7x-0003cr-BE for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:53 -0400 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id A3D76A0206; Thu, 13 Jun 2019 15:50:47 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id b4lu5w4OPVIJ; Thu, 13 Jun 2019 15:50:44 +0200 (CEST) From: Robert Vollmert To: guix-patches@gnu.org Subject: [PATCH] gnu: postgres service: More secure default permissions. Date: Thu, 13 Jun 2019 15:50:37 +0200 Message-Id: <20190613135037.10645-1-rob@vllmrt.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:67c:2050:104:0:2:25:2 X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit Cc: Robert Vollmert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) This changes to 'peer' authentication for local socket connections, and password-based authentication for local network connections. * gnu/services/databases.scm (%default-postgres-hba): Change authentication method. --- gnu/services/databases.scm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 7113f1f2a1..ec31489d48 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -5,6 +5,7 @@ ;;; Copyright =C2=A9 2017 Christopher Baines ;;; Copyright =C2=A9 2018 Cl=C3=A9ment Lassieur ;;; Copyright =C2=A9 2018 Julien Lepiller +;;; Copyright =C2=A9 2019 Robert Vollmert ;;; ;;; This file is part of GNU Guix. ;;; @@ -91,9 +92,9 @@ (define %default-postgres-hba (plain-file "pg_hba.conf" " -local all all trust -host all all 127.0.0.1/32 trust -host all all ::1/128 trust")) +local all all peer +host all all 127.0.0.1/32 md5 +host all all ::1/128 md5")) =20 (define %default-postgres-ident (plain-file "pg_ident.conf" --=20 2.20.1 (Apple Git-117) From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 25 11:40:53 2019 Received: (at 36191) by debbugs.gnu.org; 25 Jun 2019 15:40:53 +0000 Received: from localhost ([127.0.0.1]:33286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfnYy-0006qJ-Qs for submit@debbugs.gnu.org; Tue, 25 Jun 2019 11:40:53 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57605) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfnYx-0006q7-Ck for 36191@debbugs.gnu.org; Tue, 25 Jun 2019 11:40:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60214) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hfnYr-0002XT-4t; Tue, 25 Jun 2019 11:40:45 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=53734 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hfnYq-0002Mz-HQ; Tue, 25 Jun 2019 11:40:44 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Robert Vollmert Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default permissions. References: <20190613135037.10645-1-rob@vllmrt.net> Date: Tue, 25 Jun 2019 17:40:43 +0200 In-Reply-To: <20190613135037.10645-1-rob@vllmrt.net> (Robert Vollmert's message of "Thu, 13 Jun 2019 15:50:37 +0200") Message-ID: <874l4dlll0.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36191 Cc: 36191@debbugs.gnu.org, Christopher Baines X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Robert Vollmert skribis: > This changes to 'peer' authentication for local socket connections, > and password-based authentication for local network connections. > > * gnu/services/databases.scm (%default-postgres-hba): Change > authentication method. That sounds reasonable to me. Chris, WDYT? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 26 02:37:49 2019 Received: (at 36191) by debbugs.gnu.org; 26 Jun 2019 06:37:49 +0000 Received: from localhost ([127.0.0.1]:34137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hg1Yx-00035V-Mw for submit@debbugs.gnu.org; Wed, 26 Jun 2019 02:37:49 -0400 Received: from ns13.heimat.it ([46.4.214.66]:35662) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hg1Yv-00035E-Hk for 36191@debbugs.gnu.org; Wed, 26 Jun 2019 02:37:46 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 72126300597; Wed, 26 Jun 2019 06:37:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC7QnZt_188L; Wed, 26 Jun 2019 06:37:19 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id C2B8C3000D5; Wed, 26 Jun 2019 06:37:19 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette.mug.biscuolo.net [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 2C61E300A06; Wed, 26 Jun 2019 08:37:19 +0200 (CEST) Received: (nullmailer pid 29037 invoked by uid 1000); Wed, 26 Jun 2019 06:37:17 -0000 From: Giovanni Biscuolo To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Robert Vollmert Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default permissions. In-Reply-To: <874l4dlll0.fsf@gnu.org> Organization: Xelera.eu References: <20190613135037.10645-1-rob@vllmrt.net> <874l4dlll0.fsf@gnu.org> Date: Wed, 26 Jun 2019 08:37:15 +0200 Message-ID: <87zhm44ztw.fsf@roquette.mug.biscuolo.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36191 Cc: 36191@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Robert Vollmert skribis: > >> This changes to 'peer' authentication for local socket connections, >> and password-based authentication for local network connections. >> >> * gnu/services/databases.scm (%default-postgres-hba): Change >> authentication method. > > That sounds reasonable to me. Chris, WDYT? It's very reasonable to have such default auth methods for PostgresSQL: we should apply this patch Thanks Robert! [...] =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl0TEpwACgkQ030Op87M ORIcQQ/9HtBhBrQfa1FqdyPnpFAOOx4DHxY2U8KqwAZaZZBtHKiRPSjSwDukhvGh qzGDXGZSrNugRnrpmF+d6KEaG5lw4IGDXx0Ce+batSBr/Ucguoa4yDoaDNCYmE3R h0CYNLjCQLVkyBPUvV9CZS7ON/G826Bx8m14E0mA0yFjxHQkH1BkmA/2Pd/K/377 ROqWIJyT4q1ZpcvakK2ymFv9f4l6BlclwvQeAYhyGwDWAGSVb5x/fDC4yMv0TvgK M8KJxPXkhgPcJef6P5fuVJFwbSGMAkjhkq90rryVBB+OtsyLGkekuq5WZZSiHZ1J isTkIKdUPs8NSTtiH2mC40sT61U7rSgvBoAlaDytO7gCDIEYa4FfLGT9DEWZO5sb ByLe68BWh8IQc2vpgnIwfsybgNKKi7WnIkmfx2/+7oYvRzWC3rKE7DTEGlC5ClMR TZGBRqe0C4zG41NrKPJDUGni7W83j3tf9iKx69BYgc5791mJkN+F3Gtoyz4YmTiq pV9F2TebXXa2/R6eCPNvjUPsojGLFmb3wCQoxVyxkbOCBbtFHlN/iABALWNtwlnv 1rol4pax5asK9QdUl+P+GWOnEALsYwkKosOjkHpjp6wFfR17lSa2Z2MXl6VzgBlN Hf3Ilxxbb3ww0dGEa+Cnk9XWwT9RXfo4PkxG6bOi2+LZX5ZBudE= =5Dtl -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 28 18:25:37 2019 Received: (at 36191) by debbugs.gnu.org; 28 Jun 2019 22:25:37 +0000 Received: from localhost ([127.0.0.1]:43141 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgzJJ-0006TQ-EQ for submit@debbugs.gnu.org; Fri, 28 Jun 2019 18:25:37 -0400 Received: from mira.cbaines.net ([212.71.252.8]:33844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgzJH-0006TG-43 for 36191@debbugs.gnu.org; Fri, 28 Jun 2019 18:25:36 -0400 Received: from localhost (cpc102582-walt20-2-0-cust14.13-2.cable.virginm.net [86.27.34.15]) by mira.cbaines.net (Postfix) with ESMTPSA id 7557417108; Fri, 28 Jun 2019 23:25:31 +0100 (BST) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 7d5c989d; Fri, 28 Jun 2019 22:25:31 +0000 (UTC) References: <20190613135037.10645-1-rob@vllmrt.net> <874l4dlll0.fsf@gnu.org> User-agent: mu4e 1.2.0; emacs 26.2 From: Christopher Baines To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default permissions. In-reply-to: <874l4dlll0.fsf@gnu.org> Date: Fri, 28 Jun 2019 23:25:31 +0100 Message-ID: <871rzdmjok.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 36191 Cc: 36191@debbugs.gnu.org, Robert Vollmert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hello, > > Robert Vollmert skribis: > >> This changes to 'peer' authentication for local socket connections, >> and password-based authentication for local network connections. >> >> * gnu/services/databases.scm (%default-postgres-hba): Change >> authentication method. > > That sounds reasonable to me. Chris, WDYT? I'm definitely no authority on PostgreSQL authentication, but this sounds sensible to me. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl0Wk9tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9XcG8BAAua1MZ3iO/lBa4lHEaUSgZsYljdSbWdnNkvQnGrKGqfIPxfO3r/VD6FeX wp9pclj0az0Hm5RsQ1tFffooUY8CdEi/oTw4Jxk/9uEArC2JKsd4vgSsLgXtpaut uaS2tlGI2OoHuy27O3tDYigYsg54T7cID6ZEOfj6l54RZiTei1wWLMwEj4CNIQi/ JKqQJoY/A0MVatUWoqxgniGG4uiFVVD2ZAkXk0S/gWmqS1VcPma02TLLhV/h21Ng DhVaO2ltJsX0RGHJ7SDybNbXHs6Qf6fewS36CkTN8C6Xgds717ohELXlTCnzBnQh bypVBM7kHL+l5q3k3NLsALWFHkpeUzV4cABpUkcYaR72nIHdkxoy+snIGwFEKJst LiE1U5FgNvtWinT7f7BXSE4BWf+tR6uhyoeuqaLJM7kcwDqK8rPnjm6YoCKT6AO8 66T2QY/paQQHvb0NWHUh7DbBbq1P+E9t5MuKyZ4E3Bp1+nHrr4ESRvXKKsAusjzs ivWy/aYVRURYyudryfIp2JpcKktjh05dvfD6srld87FcTGqncIMQXQB29AQDOG7Y kLehHIWijKFrIpxdapl2VOEJPCgUrZ3qA/A4xSLXw59lMpfczKmM6J/L0kW5GPw+ SbB30ALaKUxbMBWqieFA8mabWXobs/6hwU7nC/ZMHqrsthW+R0g= =klXG -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 02 11:11:55 2019 Received: (at 36191-done) by debbugs.gnu.org; 2 Jul 2019 15:11:55 +0000 Received: from localhost ([127.0.0.1]:47660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiKRm-0007l3-Nm for submit@debbugs.gnu.org; Tue, 02 Jul 2019 11:11:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47132) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hiKRk-0007ko-Ig for 36191-done@debbugs.gnu.org; Tue, 02 Jul 2019 11:11:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50837) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hiKRZ-0003p7-GR; Tue, 02 Jul 2019 11:11:43 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=54086 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hiKRX-0008HI-ES; Tue, 02 Jul 2019 11:11:41 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Giovanni Biscuolo Subject: Re: [bug#36191] [PATCH] gnu: postgres service: More secure default permissions. References: <20190613135037.10645-1-rob@vllmrt.net> <874l4dlll0.fsf@gnu.org> <87zhm44ztw.fsf@roquette.mug.biscuolo.net> Date: Tue, 02 Jul 2019 17:11:38 +0200 In-Reply-To: <87zhm44ztw.fsf@roquette.mug.biscuolo.net> (Giovanni Biscuolo's message of "Wed, 26 Jun 2019 08:37:15 +0200") Message-ID: <87imsk79p1.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36191-done Cc: 36191-done@debbugs.gnu.org, Robert Vollmert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Giovanni Biscuolo skribis: > It's very reasonable to have such default auth methods for PostgresSQL: > we should apply this patch Christopher Baines skribis: > I'm definitely no authority on PostgreSQL authentication, but this > sounds sensible to me. Alright, applied, thanks for your feedback! Ludo=E2=80=99. From unknown Sat Aug 16 20:57:17 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 31 Jul 2019 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator