Skip to content

even with a password set, one can connect without (this is a major security issue?) #1028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
craff opened this issue Dec 29, 2022 · 3 comments
Closed

even with a password set, one can connect without (this is a major security issue?) #1028

craff opened this issue Dec 29, 2022 · 3 comments

Comments

@craff
Copy link

craff commented Dec 29, 2022
edited
Loading

in docker-entrypoint.sh there is line 252:
``̀`
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"

That keeps trust! shoud be:

printf 'local all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
    printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} > "$PGDATA/pg_hba.conf"

I can confirm that it works and am submitting a PR.
craff added a commit to craff/postgres that referenced this issue Dec 29, 2022
@craff
Solves docker-library#1028
652c3a0
@craff craff mentioned this issue Dec 29, 2022
Closed
@tianon
Copy link
Member

tianon commented Dec 29, 2022

This is intentionally keeping the PostgreSQL upstream default, which only allows unauthenticated connections locally, and can be modified/disabled via other means (and has been discussed in issues in this repository several times previously).

@craff
Copy link
Author

craff commented Dec 29, 2022 via email

@yosifkit
Copy link
Member

yosifkit commented Jan 6, 2023

None of the PostgreSQL-provided default host entries in pg_hba.conf allow any remote access. They are all limited to localhost-only IP ranges that are not routable across a network, so none of them are exploitable even if the container is run with host mode networking (--network host).

$ docker run -it --rm -e POSTGRES_PASSWORD="password" --name=pg postgres

$ docker exec -it pg bash
root@ea22e289a6d0:/# grep -vE '^[#]|^\s*$' /var/lib/postgresql/data/pg_hba.conf
local   all             all                                     trust
host    all             all             127.0.0.1/32            trust
host    all             all             ::1/128                 trust
local   replication     all                                     trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust
host all all all scram-sha-256
$ # ^ this last one is the one the entrypoint script adds

Without --network=host, these passwordless trust connections can only happen from within the container (like docker exec). If your situation requires them to be different, the file can be controlled via POSTGRES_INITDB_ARGS='--auth-local=scram-sha-256 --auth-host=scram-sha-256' to control the local connection initial default and the host connection initial default values in pg_hba.conf.

$ docker run -it --rm -e POSTGRES_PASSWORD="password" -e POSTGRES_INITDB_ARGS='--auth-local=scram-sha-256 --auth-host=md5' --name=pg --network=host postgres
...
$ docker exec -it pg bash
root@barad-dur:/# grep -vE '^[#]|^\s*$' /var/lib/postgresql/data/pg_hba.conf
local   all             all                                     scram-sha-256
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
local   replication     all                                     scram-sha-256
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5
host all all all scram-sha-256

There is a table I made over in #897 (comment) that shows how POSTGRES_INITDB_ARGS="=-auth-host=scram-sha-256", POSTGRES_HOST_AUTH_METHOD=authValue, and -c password_encryption=encValue interact though I am not certain how those also interact with --auth-local in initdb args.

@yosifkit yosifkit closed this as completed Jan 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @yosifkit @craff