Re: PostgreSQL-Problem and Problem on Alioth

To: debian-devel@lists.debian.org
Subject: Re: PostgreSQL-Problem and Problem on Alioth
From: Martin Pitt <martin@piware.de>
Date: Tue, 25 Jan 2005 10:38:37 +0100
Message-id: <[🔎] 20050125093837.GB11501@box79162.elkhouse.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.61.0501250941060.24005@wr-linux02>
References: <[🔎] Pine.LNX.4.61.0501250941060.24005@wr-linux02>

Hi Andreas!

Andreas Tille [2005-01-25  9:43 +0100]:
> On Mon, Jan 24, 2005 at 10:27:10PM +0100, Andreas Tille wrote:
> >some applications do need a changed pg_hba.conf to work as expected.
> 
> this raises something i'm wondering... what is the best generalized
> method for setting up an application with a username/database in
> postgresql?
> 
> in the latest code, i'm doing the following:
> 
> (as postgres)
> createuser $dbc_dbuser
> createdb $dbc_dbname -O $dbc_dbuser
> 
> what's not clear is how the application then gets into the
> database as $dbc_dbuser.  assuming it runs as www-data (or some
> system user if not a web app), should www-data be added to a map in
> pg_ident.conf to connect as $dbc_dbuser?  or something in pg_hba.conf?
> also, what about authorization methods other than ident?

There are two common ways to achieve that:

- Connect as "www-data". For this you need an appropriate PostgreSQL
  user ("createuser www-data" as user postgres). Then you either make
  www-data the owner of the database ("createdb -O www-data mydb") or
  you set the owner to some application-specific PostgreSQL user and
  only GRANT the necessary permissions to www-data (usually you need
  table creation etc. only for package installation and can restrict
  www-data permissions to SELECT/UPDATE).

  This solution has the advantage that you don't need to modify
  pg_hba.conf (since you can use "ident sameuser" authentication).

  The current PostgreSQL default installation does not create the
  www-data user by default. If somebody convinces me that this would
  be a good idea, then I wouldn't object to creating the user in the
  PostgreSQL postinst, though. But instead I would rather just ship a
  wrapper script that just ensures that www-data exists, and if not,
  creates it.

- Connect as $dbc_dbuser and use "password" authentication. ident
  makes not much sense since the database user has not necessarily
  a system user counterpart (if it has, then this would of course
  work). But if it hasn't, you need a pg_hba.conf entry.

I'm open to suggestions about making modifications to pg_hba.conf
unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: PostgreSQL-Problem and Problem on Alioth
  - From: sean finney <seanius@debian.org>

References:
- PostgreSQL-Problem and Problem on Alioth
  - From: Andreas Tille <tillea@rki.de>

Prev by Date: Processed: Re 275388 - mounting at boot time under grub
Next by Date: Re: apply to NM? ha!
Previous by thread: Re: PostgreSQL-Problem and Problem on Alioth
Next by thread: Re: PostgreSQL-Problem and Problem on Alioth
Index(es):
- Date
- Thread