*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
PGbouncer installs a full copy of the postgresql server packages on the
local client just to gain a 'postgres' service account. This leads to
unnecessary confusion on clients which were never intended to host an
SQL service locally. I found 3 (THREE!) copies of postgresql-server of
various vintages installed on a production host (left there by
inattentive developers.)
The pgbouncer package is only installing postgresql packages so that it
can re-use the postgres service account for file ownerships. The
pgbouncer package should just create an account of its own if postgres
doesn't already exist on the client host.
We use pgbouncer on clients to handle connections to remote database
clusters, not a local sql service. Pgbouncer does not require sql be
present on the local server at all.
This behavior leaves unexpected and unmanaged postgresql services
running with package defaults for admin logins, etc. I view this as a
major security problem.
** Affects: pgbouncer (Ubuntu)
Importance: Undecided
Status: New
--
Pgbouncer installs full postgresql server just to get a service account
https://bugs.launchpad.net/bugs/1972709
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
