0

I'm trying to work with a PostgreSQL database I have locally, and for some odd reason the program is able to login and make changes to the database without any username or password. I have done this same process in JavaScript and it required the username and password.

Either way, isn't it extremely strange that this simple python script can use the database without any credentials? Code below.

import psycopg2

user = "";
pw = "";

conn = psycopg2.connect("dbname='log_to_db' user='" + user + "' 
host='localhost' password='" + pw + "'")

cur = conn.cursor()
cur.execute("SELECT * from logs WHERE id=132")
print (cur.fetchall())
conn.close()

So, this script displays a row in the table. If anyone can help me understand why it's gaining access into the database without credentials (in addition to what I need to do to fix it), I would really appreciate it!

Improve this question
5
  • 2
    what does your pg_hba.conf file look like. that file controls authentication mechanisms, perhaps local connections don't need a login. also, execute the following query from your python script to figure out what postgresql user it is connecting as select user; Commented Jan 9, 2018 at 21:04
  • I am not sure where to find that file. When I did select user it showed me a user that requires a password. I do not understand how it works without a password. Commented Jan 9, 2018 at 21:08
  • on unix systems you can search for pg_hba.conf using the find utility. on mine, its inside the directory /etc/postgresql/10/main. On mac, if you install via brew, I think the file ends up in the child of /usr/local/Cellar/postgresql/ Commented Jan 9, 2018 at 21:12
  • Yes that directory exists, but I do not see it in there Commented Jan 9, 2018 at 21:14
  • For Homebrew-installed PostgreSQL, that file is in /usr/local/var/postgres. By default it defines "trust" for "local" (Unix socket) and "localhost" (127.0.0.1). Note that "localhost" is not in any way network accessible. Change the METHOD column to "md5" to enforce password auth. Commented Jan 22, 2018 at 21:59

1 Answer 1

Reset to default
2

There are couple possibilities:

  1. Psycopg2 may login to your PostgreSQL via password stored in .pgpass config file
  2. Trust Authentication: this is where your environment login may have been pre-authenticated.
  3. Peer authentication:similar to trust authentication, but geared toward the database being hosted on your machine (i.e., localhost).

Given that your JavaScript code requires login cred to access the DB, #2 and #3 are most likely to be the case.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

how do I verify this? how would I go about changing it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.