initdb: Change authentication defaults

Change the defaults for the pg_hba.conf generated by initdb to "peer"
for local (if supported, else "md5") and "md5" for host.

(Changing from "md5" to SCRAM is left as a separate exercise.)

"peer" is currently not supported on AIX, HP-UX, and Windows.  Users
on those operating systems will now either have to provide a password
to initdb or choose a different authentication method when running
initdb.

Reviewed-by: Julien Rouhaud <rjuju123@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/bec17f0a-ddb1-8b95-5e69-368d9d0a3390%40postgresql.org

6 files changed, 41 insertions, 46 deletions

diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml
index da5c8f53075..74b994b6498 100644
--- a/doc/src/sgml/ref/initdb.sgml
+++ b/doc/src/sgml/ref/initdb.sgml
@@ -137,8 +137,23 @@ PostgreSQL documentation
        </para>
 
        <para>
+        The default is <literal>peer</literal> for Unix-domain socket
+        connections on operating systems that support it, otherwise
+        <literal>md5</literal>, and <literal>md5</literal> for TCP/IP
+        connections.
+       </para>
+
+       <para>
+        When running <command>initdb</command> on a platform that does not
+        support <literal>peer</literal> authentication, either a password must
+        be provided (see <option>-W</option> and other options) or a different
+        authentication method must be chosen, otherwise
+        <command>initdb</command> will error.
+       </para>
+
+       <para>
         Do not use <literal>trust</literal> unless you trust all local users on your
-        system.  <literal>trust</literal> is the default for ease of installation.
+        system.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 365ec75aad8..305698aa0e7 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -156,24 +156,19 @@ postgres$ <userinput>initdb -D /usr/local/pgsql/data</userinput>
   </para>
 
   <para>
-   However, while the directory contents are secure, the default
-   client authentication setup allows any local user to connect to the
-   database and even become the database superuser. If you do not
-   trust other local users, we recommend you use one of
+   The default client authentication setup is such that users can connect over
+   the Unix-domain socket to the same database user name as their operating
+   system user names (on operating systems that support this, which are most
+   modern Unix-like systems, but not Windows) and otherwise with a password.
+   To assign a password to the initial database superuser, use one of
    <command>initdb</command>'s <option>-W</option>, <option>--pwprompt</option>
-   or <option>--pwfile</option> options to assign a password to the
-   database superuser.<indexterm>
+   or <option>--pwfile</option> options.<indexterm>
      <primary>password</primary>
      <secondary>of the superuser</secondary>
    </indexterm>
-   Also, specify <option>-A md5</option> or
-   <option>-A password</option> so that the default <literal>trust</literal> authentication
-   mode is not used; or modify the generated <filename>pg_hba.conf</filename>
-   file after running <command>initdb</command>, but
-   <emphasis>before</emphasis> you start the server for the first time. (Other
-   reasonable approaches include using <literal>peer</literal> authentication
-   or file system permissions to restrict connections. See <xref
-   linkend="client-authentication"/> for more information.)
+   This configuration is secure and sufficient to get started.  Later, see
+   <xref linkend="client-authentication"/> for more information about setting
+   up client authentication.
   </para>
 
   <para>
diff --git a/doc/src/sgml/standalone-install.xml b/doc/src/sgml/standalone-install.xml
index f584789f9a4..749a071061a 100644
--- a/doc/src/sgml/standalone-install.xml
+++ b/doc/src/sgml/standalone-install.xml
@@ -65,15 +65,6 @@ postgres$ <userinput>/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data</useri
 
    <step>
     <para>
-     At this point, if you did not use the <command>initdb</command> <literal>-A</literal>
-     option, you might want to modify <filename>pg_hba.conf</filename> to control
-     local access to the server before you start it.  The default is to
-     trust all local users.
-    </para>
-   </step>
-
-   <step>
-    <para>
      The previous <command>initdb</command> step should have told you how to
      start up the database server. Do so now. The command should look
      something like:
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 04d77ad7006..4bda023e577 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -185,7 +185,6 @@ static const char *default_timezone = NULL;
 "# allows any local user to connect as any PostgreSQL user, including\n" \
 "# the database superuser.  If you do not trust all your local users,\n" \
 "# use another authentication method.\n"
-static bool authwarning = false;
 
 /*
  * Centralized knowledge of switches to pass to backend
@@ -2392,16 +2391,6 @@ usage(const char *progname)
 }
 
 static void
-check_authmethod_unspecified(const char **authmethod)
-{
-	if (*authmethod == NULL)
-	{
-		authwarning = true;
-		*authmethod = "trust";
-	}
-}
-
-static void
 check_authmethod_valid(const char *authmethod, const char *const *valid_methods, const char *conntype)
 {
 	const char *const *p;
@@ -3248,8 +3237,16 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
-	check_authmethod_unspecified(&authmethodlocal);
-	check_authmethod_unspecified(&authmethodhost);
+	if (authmethodlocal == NULL)
+	{
+#ifdef HAVE_AUTH_PEER
+			authmethodlocal = "peer";
+#else
+			authmethodlocal = "md5";
+#endif
+	}
+	if (authmethodhost == NULL)
+		authmethodhost = "md5";
 
 	check_authmethod_valid(authmethodlocal, auth_methods_local, "local");
 	check_authmethod_valid(authmethodhost, auth_methods_host, "host");
@@ -3332,14 +3329,6 @@ main(int argc, char *argv[])
 	else
 		printf(_("\nSync to disk skipped.\nThe data directory might become corrupt if the operating system crashes.\n"));
 
-	if (authwarning)
-	{
-		printf("\n");
-		pg_log_warning("enabling \"trust\" authentication for local connections");
-		fprintf(stderr, _("You can change this by editing pg_hba.conf or using the option -A, or\n"
-						  "--auth-local and --auth-host, the next time you run initdb.\n"));
-	}
-
 	/*
 	 * Build up a shell command to tell the user how to start the server
 	 */
diff --git a/src/include/port.h b/src/include/port.h
index b5c03d912b0..2536a2586c5 100644
--- a/src/include/port.h
+++ b/src/include/port.h
@@ -361,6 +361,11 @@ extern int	fls(int mask);
 extern int	getpeereid(int sock, uid_t *uid, gid_t *gid);
 #endif
 
+/* must match src/port/getpeereid.c */
+#if defined(HAVE_GETPEEREID) || defined(SO_PEERCRED) || defined(LOCAL_PEERCRED) || defined(HAVE_GETPEERUCRED)
+#define HAVE_AUTH_PEER 1
+#endif
+
 #ifndef HAVE_ISINF
 extern int	isinf(double x);
 #else
diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index 117a9544eaf..4e524b22ca2 100644
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -2302,7 +2302,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
 		/* initdb */
 		header(_("initializing database system"));
 		snprintf(buf, sizeof(buf),
-				 "\"%s%sinitdb\" -D \"%s/data\" --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
+				 "\"%s%sinitdb\" -D \"%s/data\" -A trust --no-clean --no-sync%s%s > \"%s/log/initdb.log\" 2>&1",
 				 bindir ? bindir : "",
 				 bindir ? "/" : "",
 				 temp_instance,