Bug #3918
closed
Password option is not effective in database.yaml
Added by Lukas Zapletal over 10 years ago.
Updated over 6 years ago.
Description
It looks like the pg adapter in Rails uses UNIX sockets, which we
configure to trust when ident is set properly.
Here is my pgsql configuration (this is what puppet configured):
# grep -v '#' /var/lib/pgsql/data/pg_hba.conf
local all postgres ident
local all all ident
host all postgres 0.0.0.0/0 reject
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
As you can see, we allow ident authentication for local (UNIX) sockets
for all users and then we allow password authentication for TCP on
localhost (last two lines). The TCP connection is never used, at least
not for me on RHEL6 / Foreman 1.3.
It's not a security incident luckily, we should get this sorted for
sure by either disallowing all ident, or removing the (confusing)
password from the database.yaml file.
Reported by Cristian Falcas - thanks.
To confirm this, list postgresql processes. In this case, I have running instance of Foreman:
postgres 2298 0.0 0.9 216148 7544 ? Ss 15:00 0:00 postgres: foreman foreman [local] idle
And one psql session via TCP with password provided:
postgres 2350 0.0 0.3 214960 2900 ? Ss 15:01 0:00 postgres: foreman foreman ::1(48073) idle
Could you check or paste database.yml here? I saw this in case where host: configuration key was missing.
Sure, this is not there. We can either add that, or keep sockets (which might be faster? :-)
[root@el ~]# cat /etc/foreman/database.yml
### File managed with puppet ###
## Module: 'foreman'
## Template source: 'MODULES/foreman/templates/database.yml.erb'
# SQLite version 3.x
development:
adapter: sqlite3
database: db/development.sqlite3
pool: 5
timeout: 5000
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test:
adapter: sqlite3
database: db/test.sqlite3
pool: 5
timeout: 5000
# Database is managed by foreman::database::postgresql
production:
adapter: postgresql
database: foreman
username: foreman
password: "m3eMJVZyvguHSopSZtE8sFFUL2QPWucQ"
My intention when implementing it was to use ident + sockets and for the password to not be used, so it could be removed.
- Project changed from Foreman to Installer
- Category deleted (
Packaging)
- Status changed from New to Rejected
I don't consider this a problem. It's not a security issue and the option is used when connecting to a remote host. This is just how the pg gem works.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by