Why does the PG manual state to modify the “pg_hba.conf” file before starting the server the first time?

Question

The following is from https://www.postgresql.org/docs/current/static/creating-cluster.html with original emphasis on before:

or modify the generated pg_hba.conf file after running initdb, but before you start the server for the first time.

Is the manual saying this to prevent unauthorized users from accessing a poorly secured PG server? Or is there some other reason why the pg_hba.conf file should be edited before starting the server for the first time?

Answer 1

Yes, it is purely a security measure to prevent even momentary unauthorized access. If a hostile party on the same machine knows you are in the process of setting up a new cluster, they could easily test in a loop for it to become connectable with trust authentication. So even if you leave it open for just a few seconds, it could be exploited in that time.

If you start the server first and then edit pg_hba.conf to make it more secure but then forget to do a pg_ctl reload or equivalent, it will remain vulnerable. If you do do a reload, existing exploit connections will remain live even though new ones can't be made. If you do a pg_ctl restart or equivalent, existing exploit connections will be severed. But it only takes a few milliseconds to do serious damage. For example, they could create a new postgres superuser account with a password of their choosing. Or they can perhaps leverage the existing default PostgreSQL superuser account to manipulate the home directory of the OS user running the PostgreSQL server in arbitrary ways. Including things like adding an entry to ~/.ssh/authorized_keys.