I just installed postgresql 7.4.5 and pgadmin3 1.0.2 on FreeBSD and noticed
that pgadmin allows the pgsql user to log in while ignoring the password.
You can enter a wrong password or no password and still get into postgresql.

I started the postmaster as a FreeBSD user named pgsql by running
postmaster -i -D /usr/local/pgsql/data
I changed postgresql's pgsql user account to have a new password via
pgadmin3 too. But I can still log in to pgadmon3 using any or no password.

Any help would be appreciated!

I guess you run pgadmin locally, don't you?

This is because of "trust" permission for local users in your ph_hba.conf
What I normally do, I change the local socket mask to 770 and its group
to something like pgsql in postgresql.conf. So that it is impossible to
connect to it unless you
belong to that special group. The other lines in pg_hba.conf require md5
authentication via the network or localhost. But not through a local socket.

Basically pgsql seems to need a local trust access in order to start the
server.

All the above applies to earlier versions of postgres. I would expect that
your
release already has the "ident" modifier for "trust" in pg_hba.conf and it
should prevent pretending the other localusers to be a pgsql.

But I, personally still keep changing local socket permission for all my
installations,
just in case.



"John French" <hikenboots (AT) yahoo (DOT) com> wrote