Postgres accepts any password - postgresql

I have the following code which connects to a database on my remote server (the connection script resides on the same server):
Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);
The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!
Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?
How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck:
How to change PostgreSQL user password?
I am running Ubuntu 12.04 server with PHP 5.5 and Apache2

Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.
Some considerations:
Do you see data? Or can you just connect to the server? Can you list the databases?
Look at your pg_hba.conf and setup the proper permissions, per role per database per source
Did you grant access to the mydatabase to everyone? Which roles did you grant access?
Does the database have its tables in the public scheme? And granted access to the public?
Yes, with this configuration everyone who knows your IP and database name can connect to your database.

Related

Firebird permission denied when connecing with FlameRobin but is okay with isql

I'm trying to connect to employee.fdb in Firebird3.0 (localhost) using FlameRobin 0.9.3 on a Ubuntu OS.
The connection to Firebird using isql has no issues. I can create users, roles, etc all from the terminal. However, when I attempt to make a connection using FlameRobin I receive a 335544344 "Error while trying to open file Permission denied" response.
This occurs with the SYSDBA profile and any other new user profiles that I create in isql. I can even create new users in FlameRobin but I cannot connect to any database. I've verified in /etc/firebird/3.0/firebird.conf that DatabaseAccess = Full and have attempted to access the db from a couple different folders in case this is a read/write issue. No success.
I feel like I'm missing something obvious. Any thoughts?
Added info in response to Mark (4/26):
The db is stored in /var/lib/firebird/3.0/data/. I have assumed this to be the default location for Firebird DBs and that the server automatically has access to it, but I suppose that might not be the case. Is there a way to confirm server permissions to this directory and/or is this the customary spot to store work?
Terminal Connection with ISQL:
daniel#daniel-desktop:~$ isql-fb
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect '/var/lib/firebird/3.0/data/employee.fdb' user sysdba password 'xxxxxxx';
Database: '/var/lib/firebird/3.0/data/employee.fdb', User: SYSDBA
SQL>
FlameRobin Database Registration Info:
FlameRobin Error:
This is a permissions issue as #MarkRotteveel suggested. Problem was that I installed the server as a user and not as root. Problem solved by removing and reinstalling both Firebird and FlameRobin as root.

Can't connect to a database with another user

I'm using Postgresql, and I have a database named django_db and a user manuel. I want to connect to this database by this user, I tried this \c django_db manuel but I get this error:
FATAL: Peer authentication failed for user "manuel"
Previous connection kept
How can I solve this problem?
Make sure the user manuel has access to the database django_db in the pg_hba.conf file, e.g.
host django_db manuel your_ip_adress md5
Or if you prefer to give this user access to all databases
host all manuel your_ip_adress md5
After modifying your pg_hba.conf you have to either restart postgres or simply reload the file using the following function:
SELECT pg_reload_conf();
Unless you have a user mapping in place, only the OS user named 'manuel' can connect as the PostgreSQL user named 'manuel'. This is what "peer authentication" means.
You have many choices here. Try this as an OS user named 'manuel', or change from peer to some other type of authentication (in pg_hba.conf), or create a pg_ident.conf file (and then configure pg_hba.conf to use it) that allows the OS user you actually are to login as PostgreSQL user 'manuel'.

Best Practice of running postgres in Ubuntu?

I just installed postgresql in Ubuntu 18.04 and been going through the official guide. Things I understand:
The installation comes with the default postgres user
We should not create databases with this default user
Instead we should create a different user
The questions I have are:
Why is this so?
Should the new user name I create be same as my ubuntu user $(whoami) ? Or should it be different ?
Should this new user be a superuser ?
When I have to delete or create databases/tables, do I have to log in to this newly created user or the default postgres user?
You should read the documentation, this is no substitute.
It is ok to use the user postgres to create databases.
Ideally there should be no remote connections with user postgres (block it in pg_hba.conf).
Never let an application connect as superuser.
You should create other database users that are not superusers to create objects and work with them.
The name of the database users has no connection to the name of your operating system users.
For maximum safety, create objects with one user and let your application connect with a different user that has the required permissions on the objects.

Fusionauth-app docker without mysql superuser credentials

I would like to connect to a hosted remote mySQL DB (mariadb 10.1.39). I use the available fusionauth docker images (app and search) from docker hub and the published docker compose file. The db hosting provider does not grant superuser credentials. The assigned user rights should be sufficient to maintain the tables of the schema. Unfortunately, using the docker container mysql superuser credentials seems to be mandatory.
I imported the DB dump of a local (dockerized) mariadb (10.1.40) to the remote db. Username and schema name are the same local and remote. I tried not to provide DATABASE_ROOT_USER with the docker-compose yaml, but this approach ends in maintenance mode.
Is there an approach to connect to a remote mysql db without superuser credentials?
We will be enhancing our automated setup to better support external db service providers. See https://github.com/FusionAuth/fusionauth-issues/issues/95
Your current option is to create the schema manually. https://fusionauth.io/docs/v1/tech/installation-guide/fusionauth-app#advanced-installation
You may also try to use your user credentials in the superuser fields, it may work.

Application Roles in PostgreSQL

On this site SQLDude talks about Application roles for MSSQL Server.
A more secure approach you could use for this is called "Application Roles". When connecting from an application you assume a particular role and only that role is granted privileges required in the database. So all apps connect via this mechanism and don’t give out SQL or NT logins for any unauthorised use. You will have to call sp_setapprole in your application with a password, once the connection is established. Once this call succeeds then the connection gets the privileges of the application role and loses privileges of the actual user, which is what we want. So if someone tried to connect to the database from SSMS or SQLCMD, they will access the DB using their credentials, which won’t have the required permissions on the tables, since only the application role has the rights on the tables. This is more secure & reliable approach, but one that requires application code change and as a DBA you will have to create the application role in SQL Server.
However i can't find the equivalent for PostgreSQL?
Is there something like this available in PostgreSQL?