summary refs log tree commit diff
diff options
context:
space:
mode:
authorRobert Vollmert <rob@vllmrt.net>2019-06-13 15:50:37 +0200
committerLudovic Courtès <ludo@gnu.org>2019-07-02 18:33:51 +0200
commit334a2f4def1d4f9dc37718d847923cd941849607 (patch)
tree1abc9ae637db2f8e5d5e4c9c6e18afa765f46f56
parent9616b81e9861c831159a0e1a5993854b9ad3c3e5 (diff)
downloadguix-334a2f4def1d4f9dc37718d847923cd941849607.tar.gz
gnu: postgres service: More secure default permissions.
This changes to 'peer' authentication for local socket connections,
and password-based authentication for local network connections.

* gnu/services/databases.scm (%default-postgres-hba): Change
authentication method.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r--gnu/services/databases.scm7
1 files changed, 4 insertions, 3 deletions
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 7113f1f2a1..ec31489d48 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2019 Robert Vollmert <rob@vllmrt.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -91,9 +92,9 @@
 (define %default-postgres-hba
   (plain-file "pg_hba.conf"
               "
-local	all	all			trust
-host	all	all	127.0.0.1/32 	trust
-host	all	all	::1/128 	trust"))
+local	all	all			peer
+host	all	all	127.0.0.1/32 	md5
+host	all	all	::1/128 	md5"))
 
 (define %default-postgres-ident
   (plain-file "pg_ident.conf"