From 334a2f4def1d4f9dc37718d847923cd941849607 Mon Sep 17 00:00:00 2001
From: Robert Vollmert <rob@vllmrt.net>
Date: Thu, 13 Jun 2019 15:50:37 +0200
Subject: [PATCH] gnu: postgres service: More secure default permissions.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This changes to 'peer' authentication for local socket connections,
and password-based authentication for local network connections.

* gnu/services/databases.scm (%default-postgres-hba): Change
authentication method.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 gnu/services/databases.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 7113f1f2a1..ec31489d48 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2018 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2018 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2019 Robert Vollmert <rob@vllmrt.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -91,9 +92,9 @@
 (define %default-postgres-hba
   (plain-file "pg_hba.conf"
               "
-local	all	all			trust
-host	all	all	127.0.0.1/32 	trust
-host	all	all	::1/128 	trust"))
+local	all	all			peer
+host	all	all	127.0.0.1/32 	md5
+host	all	all	::1/128 	md5"))
 
 (define %default-postgres-ident
   (plain-file "pg_ident.conf"