initdb: Change authentication defaults

Change the defaults for the pg_hba.conf generated by initdb to "peer"
for local (if supported, else "md5") and "md5" for host.

(Changing from "md5" to SCRAM is left as a separate exercise.)

"peer" is currently not supported on AIX, HP-UX, and Windows.  Users
on those operating systems will now either have to provide a password
to initdb or choose a different authentication method when running
initdb.

Reviewed-by: Julien Rouhaud 
Discussion: https://www.postgresql.org/message-id/flat/bec17f0a-ddb1-8b95-5e69-368d9d0a3390%40postgresql.org

diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml
index da5c8f53075ca934295fa221b56bb33699075da4..74b994b6498cf2fff227e5317efbcc71ec9309f1 100644 (file)
--- a/doc/src/sgml/ref/initdb.sgml
+++ b/doc/src/sgml/ref/initdb.sgml
@@ -136,9 +136,24 @@ PostgreSQL documentation
         replication connections.
        
 
+       
+        The default is peer for Unix-domain socket
+        connections on operating systems that support it, otherwise
+        md5, and md5 for TCP/IP
+        connections.
+       
+
+       
+        When running initdb on a platform that does not
+        support peer authentication, either a password must
+        be provided (see -W and other options) or a different
+        authentication method must be chosen, otherwise
+        initdb will error.
+       
+
        
         Do not use trust unless you trust all local users on your
-        system.  trust is the default for ease of installation.
+        system.
        
       
      

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 365ec75aad830e496fa13157317d7e48e19b4078..305698aa0e7b921c435b8978f6a4668764d48483 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -156,24 +156,19 @@ postgres$ initdb -D /usr/local/pgsql/data
   
 
   
-   However, while the directory contents are secure, the default
-   client authentication setup allows any local user to connect to the
-   database and even become the database superuser. If you do not
-   trust other local users, we recommend you use one of
+   The default client authentication setup is such that users can connect over
+   the Unix-domain socket to the same database user name as their operating
+   system user names (on operating systems that support this, which are most
+   modern Unix-like systems, but not Windows) and otherwise with a password.
+   To assign a password to the initial database superuser, use one of
    initdb's -W, --pwprompt
-   or --pwfile options to assign a password to the
-   database superuser.
+   or --pwfile options.
      password
      of the superuser
    
-   Also, specify -A md5 or
-   -A password so that the default trust authentication
-   mode is not used; or modify the generated pg_hba.conf
-   file after running initdb, but
-   before you start the server for the first time. (Other
-   reasonable approaches include using peer authentication
-   or file system permissions to restrict connections. See 
-   linkend="client-authentication"/> for more information.)
+   This configuration is secure and sufficient to get started.  Later, see
+    for more information about setting
+   up client authentication.
   
 
   


diff --git a/doc/src/sgml/standalone-install.xml b/doc/src/sgml/standalone-install.xml

index f584789f9a49ff545ad9721ec79dea291e857c22..749a071061a6d2606ddf8b14e70a0ecd34457434 100644 (file)

--- a/doc/src/sgml/standalone-install.xml
+++ b/doc/src/sgml/standalone-install.xml
@@ -63,15 +63,6 @@ postgres$ /usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
     
    
 
-   
-    
-     At this point, if you did not use the initdb -A
-     option, you might want to modify pg_hba.conf to control
-     local access to the server before you start it.  The default is to
-     trust all local users.
-    
-   
-
    
     
      The previous initdb step should have told you how to


diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c

index 04d77ad70069a76b5b7a697a3d9c0594f1740902..4bda023e577b28cd94f64f0ea802f5d9afb9fb4e 100644 (file)

--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -185,7 +185,6 @@ static const char *default_timezone = NULL;
 "# allows any local user to connect as any PostgreSQL user, including\n" \
 "# the database superuser.  If you do not trust all your local users,\n" \
 "# use another authentication method.\n"
-static bool authwarning = false;
 
 /*
  * Centralized knowledge of switches to pass to backend
@@ -2391,16 +2390,6 @@ usage(const char *progname)
    printf(_("\nReport bugs to .\n"));
 }
 
-static void
-check_authmethod_unspecified(const char **authmethod)
-{
-   if (*authmethod == NULL)
-   {
-       authwarning = true;
-       *authmethod = "trust";
-   }
-}
-
 static void
 check_authmethod_valid(const char *authmethod, const char *const *valid_methods, const char *conntype)
 {
@@ -3248,8 +3237,16 @@ main(int argc, char *argv[])
        exit(1);
    }
 
-   check_authmethod_unspecified(&authmethodlocal);
-   check_authmethod_unspecified(&authmethodhost);
+   if (authmethodlocal == NULL)
+   {
+#ifdef HAVE_AUTH_PEER
+           authmethodlocal = "peer";
+#else
+           authmethodlocal = "md5";
+#endif
+   }
+   if (authmethodhost == NULL)
+       authmethodhost = "md5";
 
    check_authmethod_valid(authmethodlocal, auth_methods_local, "local");
    check_authmethod_valid(authmethodhost, auth_methods_host, "host");
@@ -3332,14 +3329,6 @@ main(int argc, char *argv[])
    else
        printf(_("\nSync to disk skipped.\nThe data directory might become corrupt if the operating system crashes.\n"));
 
-   if (authwarning)
-   {
-       printf("\n");
-       pg_log_warning("enabling \"trust\" authentication for local connections");
-       fprintf(stderr, _("You can change this by editing pg_hba.conf or using the option -A, or\n"
-                         "--auth-local and --auth-host, the next time you run initdb.\n"));
-   }
-
    /*
     * Build up a shell command to tell the user how to start the server
     */


diff --git a/src/include/port.h b/src/include/port.h

index b5c03d912b0fef4db404d33ad4122523dca385a6..2536a2586c5e493d053579c59128ecc4a32992d6 100644 (file)

--- a/src/include/port.h
+++ b/src/include/port.h
@@ -361,6 +361,11 @@ extern int fls(int mask);
 extern int getpeereid(int sock, uid_t *uid, gid_t *gid);
 #endif
 
+/* must match src/port/getpeereid.c */
+#if defined(HAVE_GETPEEREID) || defined(SO_PEERCRED) || defined(LOCAL_PEERCRED) || defined(HAVE_GETPEERUCRED)
+#define HAVE_AUTH_PEER 1
+#endif
+
 #ifndef HAVE_ISINF
 extern int isinf(double x);
 #else


diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c

index 117a9544eaf1e27869bbfb01cf57f22070615a9b..4e524b22ca2de02d6bddb6263c75ba064fbd56f8 100644 (file)

--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -2302,7 +2302,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
        /* initdb */
        header(_("initializing database system"));
        snprintf(buf, sizeof(buf),
-                "\"%s%sinitdb\" -D \"%s/data\" --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
+                "\"%s%sinitdb\" -D \"%s/data\" -A trust --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
                 bindir ? bindir : "",
                 bindir ? "/" : "",
                 temp_instance,

diff --git a/doc/src/sgml/standalone-install.xml b/doc/src/sgml/standalone-install.xml
index f584789f9a49ff545ad9721ec79dea291e857c22..749a071061a6d2606ddf8b14e70a0ecd34457434 100644 (file)
--- a/doc/src/sgml/standalone-install.xml
+++ b/doc/src/sgml/standalone-install.xml
@@ -63,15 +63,6 @@ postgres$ /usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
     
    
 
-   
-    
-     At this point, if you did not use the initdb -A
-     option, you might want to modify pg_hba.conf to control
-     local access to the server before you start it.  The default is to
-     trust all local users.
-    
-   
-
    
     
      The previous initdb step should have told you how to

diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 04d77ad70069a76b5b7a697a3d9c0594f1740902..4bda023e577b28cd94f64f0ea802f5d9afb9fb4e 100644 (file)
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -185,7 +185,6 @@ static const char *default_timezone = NULL;
 "# allows any local user to connect as any PostgreSQL user, including\n" \
 "# the database superuser.  If you do not trust all your local users,\n" \
 "# use another authentication method.\n"
-static bool authwarning = false;
 
 /*
  * Centralized knowledge of switches to pass to backend
@@ -2391,16 +2390,6 @@ usage(const char *progname)
    printf(_("\nReport bugs to .\n"));
 }
 
-static void
-check_authmethod_unspecified(const char **authmethod)
-{
-   if (*authmethod == NULL)
-   {
-       authwarning = true;
-       *authmethod = "trust";
-   }
-}
-
 static void
 check_authmethod_valid(const char *authmethod, const char *const *valid_methods, const char *conntype)
 {
@@ -3248,8 +3237,16 @@ main(int argc, char *argv[])
        exit(1);
    }
 
-   check_authmethod_unspecified(&authmethodlocal);
-   check_authmethod_unspecified(&authmethodhost);
+   if (authmethodlocal == NULL)
+   {
+#ifdef HAVE_AUTH_PEER
+           authmethodlocal = "peer";
+#else
+           authmethodlocal = "md5";
+#endif
+   }
+   if (authmethodhost == NULL)
+       authmethodhost = "md5";
 
    check_authmethod_valid(authmethodlocal, auth_methods_local, "local");
    check_authmethod_valid(authmethodhost, auth_methods_host, "host");
@@ -3332,14 +3329,6 @@ main(int argc, char *argv[])
    else
        printf(_("\nSync to disk skipped.\nThe data directory might become corrupt if the operating system crashes.\n"));
 
-   if (authwarning)
-   {
-       printf("\n");
-       pg_log_warning("enabling \"trust\" authentication for local connections");
-       fprintf(stderr, _("You can change this by editing pg_hba.conf or using the option -A, or\n"
-                         "--auth-local and --auth-host, the next time you run initdb.\n"));
-   }
-
    /*
     * Build up a shell command to tell the user how to start the server
     */

diff --git a/src/include/port.h b/src/include/port.h
index b5c03d912b0fef4db404d33ad4122523dca385a6..2536a2586c5e493d053579c59128ecc4a32992d6 100644 (file)
--- a/src/include/port.h
+++ b/src/include/port.h
@@ -361,6 +361,11 @@ extern int fls(int mask);
 extern int getpeereid(int sock, uid_t *uid, gid_t *gid);
 #endif
 
+/* must match src/port/getpeereid.c */
+#if defined(HAVE_GETPEEREID) || defined(SO_PEERCRED) || defined(LOCAL_PEERCRED) || defined(HAVE_GETPEERUCRED)
+#define HAVE_AUTH_PEER 1
+#endif
+
 #ifndef HAVE_ISINF
 extern int isinf(double x);
 #else

diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index 117a9544eaf1e27869bbfb01cf57f22070615a9b..4e524b22ca2de02d6bddb6263c75ba064fbd56f8 100644 (file)
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -2302,7 +2302,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
        /* initdb */
        header(_("initializing database system"));
        snprintf(buf, sizeof(buf),
-                "\"%s%sinitdb\" -D \"%s/data\" --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
+                "\"%s%sinitdb\" -D \"%s/data\" -A trust --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
                 bindir ? bindir : "",
                 bindir ? "/" : "",
                 temp_instance,