From patchwork Thu Jun 13 13:50:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Robert Vollmert X-Patchwork-Id: 14296 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C01BE170CC; Thu, 13 Jun 2019 16:25:45 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 647A0170CA for ; Thu, 13 Jun 2019 16:25:45 +0100 (BST) Received: from localhost ([::1]:40886 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hbRbg-0002C6-96 for patchwork@mira.cbaines.net; Thu, 13 Jun 2019 11:25:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57510) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hbQ96-0002rM-FL for guix-patches@gnu.org; Thu, 13 Jun 2019 09:52:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hbQ95-0004UK-0L for guix-patches@gnu.org; Thu, 13 Jun 2019 09:52:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49460) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hbQ93-0004TQ-QR for guix-patches@gnu.org; Thu, 13 Jun 2019 09:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hbQ93-00064K-NX for guix-patches@gnu.org; Thu, 13 Jun 2019 09:52:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#36191] [PATCH] gnu: postgres service: More secure default permissions. Resent-From: Robert Vollmert Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 13 Jun 2019 13:52:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 36191 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 36191@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.156043386623259 (code B ref -1); Thu, 13 Jun 2019 13:52:01 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jun 2019 13:51:06 +0000 Received: from localhost ([127.0.0.1]:34771 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hbQ86-00062u-Iq for submit@debbugs.gnu.org; Thu, 13 Jun 2019 09:51:06 -0400 Received: from lists.gnu.org ([209.51.188.17]:53802) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hbQ84-00062V-0D for submit@debbugs.gnu.org; Thu, 13 Jun 2019 09:51:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57292) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hbQ81-0002I2-9l for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hbQ7y-0003iZ-AD for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:57 -0400 Received: from mx2a.mailbox.org ([2001:67c:2050:104:0:2:25:2]:54640 helo=mx2.mailbox.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hbQ7x-0003cr-BE for guix-patches@gnu.org; Thu, 13 Jun 2019 09:50:53 -0400 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id A3D76A0206; Thu, 13 Jun 2019 15:50:47 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id b4lu5w4OPVIJ; Thu, 13 Jun 2019 15:50:44 +0200 (CEST) From: Robert Vollmert Date: Thu, 13 Jun 2019 15:50:37 +0200 Message-Id: <20190613135037.10645-1-rob@vllmrt.net> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Robert Vollmert Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches This changes to 'peer' authentication for local socket connections, and password-based authentication for local network connections. * gnu/services/databases.scm (%default-postgres-hba): Change authentication method. --- gnu/services/databases.scm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 7113f1f2a1..ec31489d48 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2017 Christopher Baines ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2018 Julien Lepiller +;;; Copyright © 2019 Robert Vollmert ;;; ;;; This file is part of GNU Guix. ;;; @@ -91,9 +92,9 @@ (define %default-postgres-hba (plain-file "pg_hba.conf" " -local all all trust -host all all 127.0.0.1/32 trust -host all all ::1/128 trust")) +local all all peer +host all all 127.0.0.1/32 md5 +host all all ::1/128 md5")) (define %default-postgres-ident (plain-file "pg_ident.conf"