Default pg_hba is extremely insecure

[iTech-Developer]

It might be more reasonable to replace the following line in pg_hba
echo 'host all all 0.0.0.0/0 trust';
with
echo 'host all all 0.0.0.0/0 md5';

Because the current configuration simply enables anyone in the world to connect to the database with no authentication whatsoever, which is really a very serious security problem because it is very likely that someone might leave the default setting of the image!

Quoting PostgreSQL documentation

trust
Allow the connection unconditionally. This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication

[md5]

See #29

[iTech-Developer]

I understand that you can provide your own configuration, but what I mean here is that the defaults need to be reasonable, because many might not change the default configuration.

In most cases, trust should not be used except with 127.0.0.1

[yosifkit]

In almost every case running this image is the same as 127.0.0.1. Unless you forward the port with -p in docker run the database will not be accessible outside your linux machine. If you are worried about other containers accessing you database, you can turn on --icc=false in the docker daemon then only containers that are --linked can talk to each other.

[iTech-Developer]

Yes, you are right.

Just it is fairly common that people will export the database port with -p to access the database remotely in such case the default configuration is extremely insecure and people might not anticipate such insecure default behavior (issue #29 demonstrates this).

My suggestion is that it is always good to have a reasonable default configuration specially for something that will be used by so many people.

[mmarzantowicz]

Please correct me if I'm wrong, but with md5 authentication explicit user account and password needs to be created because "PostgreSQL database passwords are separate from operating system user passwords." So, there is no real security advantage in setting fixed password here in Dockerfile or entry point script over passing all users without any password.

[iTech-Developer]

By default there is no default password for PostgresSQL, and typically first thing people do after installation is to set a password. But with such extremely unsecured default, even after setting a password, still anyone in the world can connect without a password. Additionally, you do not need to include any passwords in the Dockerfile, you can pass the password as environment variable or generate it on the fly.

Check the comments on the docker hub, many are really frustrated from such insecure default configuration of the official image
https://registry.hub.docker.com/_/postgres/

[mmarzantowicz]

@iTech-Developer: Passing password as command line argument is not secure either. Randomly generated one is also no go because it's not flexible enough. I fully agree with you that default settings might look strange for someone new to Docker (count me as one) but alternatives you mentioned are not better (from security pov) at all. Taking this into account there is no gain in making docker image overcomplicated. IMHO LDAP or Kerberos is the only reasonable and secure way but also not the most popular one.

[iTech-Developer]

I agree with you, all what I am suggesting that we should have a reasonable default in the official image, not either super secure or no security at all!

Beside from issue #29 it is clear that some people did not expect such default insecure behavior

[yosifkit]

I did a little research and think we can do similar to mysql and have a POSTGRES_USER that would default to postgres and then require a POSTGRES_PASSWORD like we do with the root password for the myqsl image. To not break current users, we could offer a warning that there is no password set and then fall back to "trust" all the things.

If that sounds amenable, I can get on a PR (unless someone else wants to do it).

[tianon]

+1 from me -- sounds really simple and non-intrusive for existing users as
well

We'll just want to be sure to add the warning to the documentation too.

[pikeas]

+1, sane defaults are a good idea. At the very least, an obvious warning on the Docker registry would be nice.

[defunctzombie]

The fix for this issue makes launching these containers for dev annoying. There should be a flag to turn back on allowing user logins with passwords. Right now you have to inject your own pg_hba.conf.

[Starefossen]

Yes, this change is plain out stupid. The security model of how Docker links containers together provides all the necessary protection.

Someone clearly slept through their Docker class. Here is an excerpt from the Linking Containers Together page:

So what does linking the containers actually do? You've learned that a link allows a source container to provide information about itself to a recipient container. In our example, the recipient, web, can access information about the source db. To do this, Docker creates a secure tunnel between the containers that doesn't need to expose any ports externally on the container; you'll note when we started the db container we did not use either the -P or -p flags. That's a big benefit of linking: we don't need to expose the source container, here the PostgreSQL database, to the network.